[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: Quenching a QAZ quandary quickly...
From: Brad <gryphonn () austarnet ! com ! au>
Date: 2000-09-22 23:44:21
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In reply to:
Sender: Robert Washam <rwasham@FNCI.COM>
Subject: Quenching a QAZ quandary quickly...
Dated: 22 Sep 2000,
Time: 9:15
> Well, it was fortune that brought Josh Brandt's post of 9/8/00 to my
> door: The very day before, QAZ visited me. And keeps coming back.
> You feed these viruses and they just want more and more and... Okay,
> so here is the question: Since I am now the lucky owner of this
> wonderful virus, how is it coming back all the time?
>
> 1. I've replaced NOTEPAD.EXE with Norton's Quarantine/renaming
> note.com; 2. I've done Reg Search & Replace and there is NO SIGN OF
> ANY BAD
> notepad.exe OR QAZ in there;
Is there any string in the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run key that begins
with 'StartIE=' ? If so, that will be the culprit (according to the
original form of this trojan). It is possible that the trojan was
renamed.
> 3. The same machine gets hit every five to seven days;
Have you looked for any unusual executables that are in the 118kB
size range? Also (and I don't mean to insult your intelligence), are
you sure this system is not sharing itself with the outside world?
> 4. It is on a private IP network (10.0.0.0) behind a Cisco setup for
> NAT
> and with my SPECIAL access list to block most things/ports;
> 5. The only other machine running Windows XX is an NT Server that
> APPEARS
> to be fine.
>
> I suspect Outlook. But then again, I always suspect Outlook. Anyone
> know how it might live in Outlook? I'm checking DOT files for
> template infections, I've searched the infected system for note*.* and
> even *qaz*.* but no luck.
Unless the trojan executable has undergone some major modifications,
it will not be a document template.
> Any help, as always, is appreciated.
I have played with this exe (trojan notepad) a little and it didn't
replace notepad the system (under W98SE). I 'ran' the trojan under a
variety of different scenarios in many different directories and all
it did was create the reg key and run on start-up. It did do the
incremental port 139 scan on hosts across my ISP's subnet. It also
sent off my dynamic IP address to the freemail.yeah.net account.
Removal was a simple case of deleting the registry key and deleting
the executable.
Perhaps it is coming in from somewhere else. The NT box may be one to
check thoroughly.
Cheers,
Brad
>
> Thanks,
> Robert
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2 -- QDPGP 2.61a
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBOctiNYgbRJHvXRMDEQKPaQCgjrdmREU6zO8Nw/W9Dd8WDLiFjpMAoIJg
NRmhfv+ZcLVnigg+3diG+5nP
=GW9x
-----END PGP SIGNATURE-----
***********************************
Bradley.N.Griffin
Gryphonn Design
Web Design
Computer Systems Consultant
Security Solutions
gryphonn@austarnet.com.au
ABN: 12 095 821 961
Ph: 61+7+49222589
**********************************
Help save a starving child.
One click is all it takes:
http://www.thehungersite.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic