A variety of computer trojan/worm, QAZ (also known as QAZ.A) is believed to be the mechanism by which Microsoft's defences were breached when they admitted being victims of a crack in October 2000.

QAZ hsa two propagation methods: one which is trojan-like and one which is worm-like. The trojan-like method relies on social engineering, as it can be hidden with many innocuous files and distributed manually via email. Once installed and activated on a target machine, the worm-like mode of operation comes into play.

It will first check that the Windows directory is accessible and writeable; if so it will rename notepad.exe to be note.com, and save itself as notepad.exe. On execution of the trojanned notepad.exe it will re-execute the payload once and then call note.com: the user remains unaware that anything has changed.

The payload is as follows: using NetBIOS it scans the LAN to find any other machines with shareable Windows directories. If so it installs itself in the remote target in an identical fashion. Even if it doesn't detect any new hosts to infect, it then opens up a listening TCP socket on port 7597, a human attacker can then connect to the host and gain a degree of control over it (similar concept to Back Orifice).

Log in or register to write something here or to contact authors.