Saturday, January 25, 2014

DETECT AND REMOVE QAZ BACKDOOR (NOTEPAD.EXE) TROJAN

Hiiiiiii......

Good Morning Friends......

Today I am here to discuss anout the QAZ trojan virus and how to detect it and remove it.Let know what is QAZ trojan?

About the QAZ Trojan:
 This new backdoor Trojan allows hackers to access and control an infected system. TROJ_QAZ was initially distributed as “Notepad.exe” but might also appear with different filenames. Once an infected file is executed, TROJ_QAZ modifies the Windows registry so that it becomes active every time Windows is started. TROJ_QAZ also renames the original “notepad.exe” file to “note.com” and then copies itself as “notepad.exe” to the Windows folder. This way, the Trojan is also launched every time a user runs Notepad. TROJ_QAZ also attempts to spread itself to other shared drives on local networks. This Trojan does not mass email itself out to lists in the users address book however.

 Also Known As:
Qaz.Trojan, Qaz.Worm, W32.HLLW.Qaz (gen), Worm.Qaz [Kaspersky], W32/QAZ.worm.gen [McAfee], W32/Qaz [Sophos], TROJ_QAZ.A [Trend], Win32.Qaz [Computer Associates.

 Type:Worm.
 Size: 117KB
 Systems Affected:Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP. 
Due to a decrease in submission rate, W32.HLLW.Qaz.A has been downgraded to a level 2 threat.(According to Symantec.com).It is a companion virus that can spread over a network. It also has a "backdoor" that will enable a remote user to connect to and control the computer using port 7597. Because this virus cannot spread to computers outside of the network, it may have originally been sent by email.
  • Autoloads: Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • KeystartIE
  • Default port: 7597 TCP
  • Can port be changed: No
  QAZ Trojan Manual Removal: The registry needs to edited to deleted this trojan:
  1. Click START>RUN Type REGEDIT and hit ENTER key
  2. In the left panel,click the "+" to the left of the following: HKEY_LOCAL_MACHINE Software Microsoft Windows Current Version Run 
  3. Registry Editing for removal
  4.  In the right panel, search for any of the registry key that contain the data value ofstartIE=XXXX\Notepad.exe.
  5. In the right window,highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry. Exit the registry. Click START,SHUTDOWN. Choose “Restart” and click OK.
Protection From this Virus: Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not re-infect the computer after it has been removed, I suggests sharing with read-only access or using password protection.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: Medium
Reactions:

1 comments:

Post a Comment