You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

QAZ

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

QAZ carries out the following actions:

  • It activates whenever Windows Notepad is run.
  • It sends out the IP address of the affected computer.
  • It opens backdoors in affected computers, which allows malicious users to access the computer remotely, provided that they know its IP address.
  • It allows an attacker to insert and run programs in the affected computer.

Infection strategy 

QAZ has the following infection routine:

  • Once it gets into the affected computer, it looks for the NOTEPAD.EXE file and renames it NOTE.COM.
  • It copies itself to the Windows directory under the name NOTEPAD.EXE. By doing this, when the user runs Windows Notepad, the Trojan will activate and then open the NOTE.COM file (the original Notepad). QAZ does this in order to prevent the user from noticing its actions.

QAZ carries out this action in all accessible network drives (they do not need to mapped). By doing this it spreads its infection to other computers in the network.

QAZ creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    startIE "NOTEPAD.EXE qazwsx.hsq
    By inserting this entry, QAZ ensures that it is run every time the affected computer is started.

Then it carries out the following actions:

  • First of all it opens port 7597.
  • Then it scans all ports after a number selected at random and opens them.
  • From then on the affected computer will be open to attack from other users, provided that the attackers know the IP address of the affected computer.
  • It sends an e-mail message with the IP address of the affected computer to an address that contains the text string nongmin_cn. This mail account belongs to the presumed author of the Trojan.

    By default this message is sent through     SMTP to the IP address of a free e-mail service provider in which the author of the Trojan has a mail account.

    This address is as follows:     202.106.185.107. However, this address is configurable, as the IP address of any other mail server can be specified.

    Similarly, the name of the mail account to which the IP address will be sent can also be changed. This means that it can also be sent to other users; not only the Trojan author.

Means of transmission 

QAZ spreads through local networks. To do this, it scans shared disk drives and checks if there is a shared resource that contains the text string Win.

If there is, QAZ assumes that it is the Windows directory. Then it looks for the NOTEPAD.EXE file and carries out the actions described above.