About QAZ
Also known as: I-Worm.QAZ, note.com, Qaz.Trojan, QAZ.worm,
TROJ_QAZ.A, Trojan/Notepad, W32.HLLW.Qaz.A
This is the worm that infected some Microsoft machines in
November 2000. Has backdoor capabilities, and spreads under
Win32 systems. Registers in HKLM\Software\Microsoft\Windows\CurrentVersion\Run
StartIE= Notepad is renamed Note.com and QAZ becomes Notepad.e.
Spreads within a network of shared computer systems,
infecting the Notepad.exe file. Trojan horses are often not
one but many smaller programs bundled together, and one
malicious program particular to the Qaz will open port 7597,
allowing a hacker to come along later and gain access to the
infected computer. Qaz requires a user on an infected system
to open the Notepad.exe file.
Although it may have originally spread as an e-mail, a
download from a Web site, or through IRC chatrooms, Qaz now
spreads within local area networks. If the user of an infected
system opens Notepad, the virus is run. Qaz will look for
individual systems that share a networked drive, then seeks
out the Windows folder and infects the Notepad.exe file on
those systems. Qaz first renames Notepad.exe to Note.com then
creates the virus-infected file Notepad.exe. This new
Notepad.exe has a length of 120,320 bytes. Qaz rewrites the
System Registry to load itself every time the computer is
rebooted. Users monitoring their open ports may notice unusual
traffic on TCP port 7597 if an attacker connects to the
infected computer.
Removal Instructions
Automatic Removal:
QAZ can be detected and removed
AUTOMATICALLY
by McAfee
VirusScan, also SpyEraser.
Manual Removal:
Follow these steps to remove QAZ from your machine. Begin
by backing up your registry and your system, and/or setting a
Restore Point, to prevent trouble if you make a mistake.
- Kill these running processes with Task Manager:
qaz trojan notepad.exe
w3qaz.exe
- Remove these files (if present) with Windows Explorer:
qaz trojan notepad.exe
w3qaz.exe
Sponsored Links:
Removal Instructions for Other Trojans
| 
