Virus

W32/Qaz.A

Analysis

  • Virus is 32bit with a size of 120,320 bytes
  • Virus makes use of the NetBIOS transport protocol, thus if this protocol is not installed, it is not a threat for spreading within networks
  • Virus seeks systems which offer a full share of their drive, across NetBIOS networks looking for writable shares, particularly the Windows folder
    • The virus first renames existing NOTEPAD.EXE to NOTE.COM
    • The virus then writes itself to the Windows folder as NOTEPAD.EXE
    • When NOTEPAD is next executed, it will make a call to NOTE.COM to initiate the real Notepad application and then it will modify the registry to run at Windows startup -

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run\
      StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

  • Virus opens a connection on the Internet in TCP port 7597, awaiting commands from a hacker