North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Disabling QAZ (was Re: Port 139 scans)

  • From: Ben Browning
  • Date: Fri Sep 29 19:36:20 2000

At 05:02 PM 9/29/00 -0400, Dana Hudes wrote:
I am willing to scrap together a script to shutdown the virus on an infected machine and put it in a CGI web page.
Well, that solves the problem until the reboot. After that, the registry key opens that puppy right back up.

The trick is to gut it COMPLETELY.

This virus supposedly supports three commands : upload, run and quit. I can't get upload to work, and I lost the manpage(ha, ha). It is possible to upload a file (perhaps compiled c?) that rips out the registry entry and renames the appropriate files on reboot. In fact, one could (legality aside) write up the program to use QAZ as the delivery mechanism for its own death. There's something poetic about that...

I have a copy of the worm zipped here- if you'd like it drop me a private email.

I'm not sure about volume but initially I think I can host it. In the event my 1Mbit connection is overwhelmed I'll need another place....
What stops me at the moment is that I have no authorization to test against any infected machine.
I need a target.
I'd offer mine, but I have it isolated.

I'm willing to also try for making the connection to the share and removing the infection but I'm not sure I can get it in time.
At least a shutdown page would do something.
Half measures merely delay the inevitable- I believe it is best to expunge it right off the bat and never have to deal with the recurrences.

I will start writing my code and await direct e-mail with authorization and a target IP address to test against.
Note that I have plenty of potential test targets in my Samba logs :-( but no legal authority to connect to those machines.
My current thought is to simply put up a .reg and .bat file up on the web, with instructions on how to use it. Run the .reg to kill the registry key, and run the .bat file to rename the files after the reboot. Of course, it may be easier to simply have a standard email explaining the virus and the removal procedure (my current solution, if anyone wants a copy of the email drop me a line). I will stick with this approach unless the script fully removes (as opposed to temporarily disabling) the virus.

Another interesting note- the virus will not allow your computer to reboot if someone is connected to the telnet port.

On a side note, if anyone knows a good logfile parsing perl script that pulls out all the IP addresses in a log, I'd love a copy. I have one, but it is very clunky and I daresay a better perl coder than I has tackled this issue. I only ask because this worm has increased the number of other peoples(variously formatted) logfiles in my inbox by about 900%. :)

Ben Browning <[email protected]> Network Operations
Tel (206) 443-8000 Fax (206) 443-0500