Re: win95, notepad.exe worm/trojan, note.com

[Mike Lewinski <mike () ROCKYNET COM>]

> The worm you refer to is known as QAZ (and other names). It was
> discovered in August(?) of this year and is slowly but surely
> becoming more widespread. It defaults to port 7597.
>
> It is grossly under-rated by most
> anti-virus vendors as it appears to be spreading quite rapidly.

This now explains the netbios connections I've seen from 20 different
neighboring IPs at home since Aug 28. I verified port 7597 as open on the
most recent one, and note also that this IP has visited at least once a day
for the last two weeks.

The source IP's spanned ~100 Class C's, and I've calculated that the
furthest one scanned ~20,000 hosts before getting to me (assuming a
sequential scan... hmmm and the most frequent visitor has a "higher" IP than
mine. Does this thing both increment and de-increment when it scans? I did
verify the 7597 port open on IPs both above and below my own).

Unknown user: security@[myISP]

Well, at least abuse@ hasn't bounced back yet.

Here's Linkage:

http://www.sarc.com/avcenter/venc/data/qaz.trojan.html
http://vil.mcafee.com/dispVirus.asp?virus_k=98775&;

Mike