Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/QAZ.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 17 Aug 2000 03:00:00
Description created 19 Nov 2000 03:00:00
Description updated 19 Nov 2000 03:00:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/QAZ.Worm

Spreading

When the worm is executed the worm will stay in the system memory and appears in the Task List as W3qaz. QAZ will enumerates all networks drives searching after shares to copy itself. If Notepad.exe is found, QAZ will rename Notepad.exe, to Note.com and write itself to Notepad.exe. The worm also creates a Registry key to load itself each time Windows start.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run startIE = C:\windows\notepad.exe qazwsx.hsq W32/QAZ sends an e-mail to an address located somewhere in Asia.

The worm's backdoor function is very simple, but it has sufficient functionality to download and install another backdoor program or other malicious software.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11