Security Incidents mailing list archives
Re: win95, notepad.exe worm/trojan, note.com
From: Mike Lewinski <mike () ROCKYNET COM>
Date: Sat, 9 Sep 2000 11:37:37 -0600
The worm you refer to is known as QAZ (and other names). It was discovered in August(?) of this year and is slowly but surely becoming more widespread. It defaults to port 7597. It is grossly under-rated by most anti-virus vendors as it appears to be spreading quite rapidly.
This now explains the netbios connections I've seen from 20 different neighboring IPs at home since Aug 28. I verified port 7597 as open on the most recent one, and note also that this IP has visited at least once a day for the last two weeks. The source IP's spanned ~100 Class C's, and I've calculated that the furthest one scanned ~20,000 hosts before getting to me (assuming a sequential scan... hmmm and the most frequent visitor has a "higher" IP than mine. Does this thing both increment and de-increment when it scans? I did verify the 7597 port open on IPs both above and below my own). Unknown user: security@[myISP] Well, at least abuse@ hasn't bounced back yet. Here's Linkage: http://www.sarc.com/avcenter/venc/data/qaz.trojan.html http://vil.mcafee.com/dispVirus.asp?virus_k=98775& Mike
Current thread:
- win95, notepad.exe worm/trojan, note.com Josh Brandt (Sep 08)
- Re: win95, notepad.exe worm/trojan, note.com Brad (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Mike Lewinski (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Jonathan S. Keim (Sep 12)
- <Possible follow-ups>
- Re: win95, notepad.exe worm/trojan, note.com Thomas Dullien (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Josh Brandt (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Daniel Schrader (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Brad (Sep 12)