virus logo Virus

W32/Qaz.A

description-logoAnalysis

  • Virus is 32bit with a size of 120,320 bytes
  • Virus makes use of the NetBIOS transport protocol, thus if this protocol is not installed, it is not a threat for spreading within networks
  • Virus seeks systems which offer a full share of their drive, across NetBIOS networks looking for writable shares, particularly the Windows folder
    • The virus first renames existing NOTEPAD.EXE to NOTE.COM
    • The virus then writes itself to the Windows folder as NOTEPAD.EXE
    • When NOTEPAD is next executed, it will make a call to NOTE.COM to initiate the real Notepad application and then it will modify the registry to run at Windows startup -

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run\
      StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

  • Virus opens a connection on the Internet in TCP port 7597, awaiting commands from a hacker

Telemetry logoTelemetry

ID 321083
Released Nov 12, 2002
Description
Updated		 Jul 02, 2003
Aliases Happy99.Worm , I-Worm.Happy , W32/Ska.10000.Worm , Win32.Happy.10000 , Win32/Ska.dll@m, Win95.Spanska.10000 , WORM_SKA.WSOCK32
Platform Profile Win32 file format / PE 32 bit