North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Disabling QAZ (was Re: Port 139 scans)

  • From: Roland Dobbins
  • Date: Fri Sep 29 20:26:13 2000

Can't you just download a .reg file to the luser and instruct him to
click on it?  Or use one of the well-known SMB/CIFS exploits to make it
execute your code - i.e., the .reg file?

Also, variants I've seen replace NOTEPAD.EXE with a hacked version -
they merely rename the real NOTEPAD.EXE, then substitute a larger one,
for what it's worth.

Ben Browning wrote:
> At 05:02 PM 9/29/00 -0400, Dana Hudes wrote:
> >I am willing to scrap together a script to shutdown the virus on an
> >infected machine and put it in a CGI web page.
> Well, that solves the problem until the reboot. After that, the registry
> key opens that puppy right back up.
> The trick is to gut it COMPLETELY.
> This virus supposedly supports three commands : upload, run and quit. I
> can't get upload to work, and I lost the manpage(ha, ha). It is possible
> to   upload a file (perhaps compiled c?) that rips out the registry entry
> and renames the appropriate files on reboot. In fact, one could (legality
> aside) write up the program to use QAZ as the delivery mechanism for its
> own death. There's something poetic about that...
> I have a copy of the worm zipped here- if you'd like it drop me a private
> email.
> >I'm not sure about volume but initially I think I can host it. In the
> >event my 1Mbit connection is overwhelmed I'll need another place....
> >What stops me at the moment is that I have no authorization to test
> >against any infected machine.
> >I need a target.
> I'd offer mine, but I have it isolated.
> >I'm willing to also try for making the connection to the share and
> >removing the infection but I'm not sure I can get it in time.
> >At least a shutdown page would do something.
> Half measures merely delay the inevitable- I believe it is best to expunge
> it right off the bat and never have to deal with the recurrences.
> >I will start writing my code and await direct e-mail with authorization
> >and a target IP address to test against.
> >Note that I have plenty of potential test targets in my Samba logs :-( but
> >no legal authority to connect to those machines.
> My current thought is to simply put up a .reg and .bat file up on the web,
> with instructions on how to use it. Run the .reg to kill the registry key,
> and run the .bat file to rename the files after the reboot. Of course, it
> may be easier to simply have a standard email explaining the virus and the
> removal procedure (my current solution,  if anyone wants a copy of the
> email drop me a line). I will stick with this approach unless the script
> fully removes (as opposed to temporarily disabling) the virus.
> Another interesting note- the virus will not allow your computer to reboot
> if someone is connected to the telnet port.
> On a side note, if anyone knows a good logfile parsing perl script that
> pulls out all the IP addresses in a log, I'd love a copy. I have one, but
> it is very clunky and I daresay a better perl coder than I has tackled this
> issue. I only ask because this worm has increased the number of other
> peoples(variously formatted) logfiles in my inbox by about 900%.  :)
> ---
> Ben Browning <[email protected]>
> Network Operations
> Tel (206) 443-8000 Fax (206) 443-0500

 Roland Dobbins <[email protected]> // 818.535.5024 voice