A variety of computer trojan
, QAZ (also known as QAZ.A) is believed
to be the mechanism
by which Microsoft
's defences were breached when
they admitted being victims of a crack
QAZ hsa two propagation methods: one which is trojan-like and one which is
worm-like. The trojan-like method relies on social engineering, as it can
be hidden with many innocuous files and distributed manually via email.
Once installed and activated on a target machine, the worm-like
mode of operation comes into play.
It will first check that the Windows directory is accessible and writeable;
if so it will rename notepad.exe to be note.com, and save itself as
notepad.exe. On execution of the trojanned notepad.exe it will
re-execute the payload once and then call note.com: the user remains
unaware that anything has changed.
The payload is as follows: using NetBIOS it scans the LAN to find any
other machines with shareable Windows directories. If so it installs itself
in the remote target in an identical fashion. Even if it doesn't detect any
new hosts to infect, it then opens up a listening TCP socket on port
7597, a human attacker can then connect to the host and gain a degree of
control over it (similar concept to Back Orifice).