|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Disabling QAZ (was Re: Port 139 scans)
Can't you just download a .reg file to the luser and instruct him to click on it? Or use one of the well-known SMB/CIFS exploits to make it execute your code - i.e., the .reg file? Also, variants I've seen replace NOTEPAD.EXE with a hacked version - they merely rename the real NOTEPAD.EXE, then substitute a larger one, for what it's worth. Ben Browning wrote: > > At 05:02 PM 9/29/00 -0400, Dana Hudes wrote: > >I am willing to scrap together a script to shutdown the virus on an > >infected machine and put it in a CGI web page. > > Well, that solves the problem until the reboot. After that, the registry > key opens that puppy right back up. > > The trick is to gut it COMPLETELY. > > This virus supposedly supports three commands : upload, run and quit. I > can't get upload to work, and I lost the manpage(ha, ha). It is possible > to upload a file (perhaps compiled c?) that rips out the registry entry > and renames the appropriate files on reboot. In fact, one could (legality > aside) write up the program to use QAZ as the delivery mechanism for its > own death. There's something poetic about that... > > I have a copy of the worm zipped here- if you'd like it drop me a private > email. > > >I'm not sure about volume but initially I think I can host it. In the > >event my 1Mbit connection is overwhelmed I'll need another place.... > >What stops me at the moment is that I have no authorization to test > >against any infected machine. > >I need a target. > > I'd offer mine, but I have it isolated. > > >I'm willing to also try for making the connection to the share and > >removing the infection but I'm not sure I can get it in time. > >At least a shutdown page would do something. > > Half measures merely delay the inevitable- I believe it is best to expunge > it right off the bat and never have to deal with the recurrences. > > >I will start writing my code and await direct e-mail with authorization > >and a target IP address to test against. > >Note that I have plenty of potential test targets in my Samba logs :-( but > >no legal authority to connect to those machines. > > My current thought is to simply put up a .reg and .bat file up on the web, > with instructions on how to use it. Run the .reg to kill the registry key, > and run the .bat file to rename the files after the reboot. Of course, it > may be easier to simply have a standard email explaining the virus and the > removal procedure (my current solution, if anyone wants a copy of the > email drop me a line). I will stick with this approach unless the script > fully removes (as opposed to temporarily disabling) the virus. > > Another interesting note- the virus will not allow your computer to reboot > if someone is connected to the telnet port. > > On a side note, if anyone knows a good logfile parsing perl script that > pulls out all the IP addresses in a log, I'd love a copy. I have one, but > it is very clunky and I daresay a better perl coder than I has tackled this > issue. I only ask because this worm has increased the number of other > peoples(variously formatted) logfiles in my inbox by about 900%. :) > > --- > Ben Browning <[email protected]> > oz.net Network Operations > Tel (206) 443-8000 Fax (206) 443-0500 > http://www.oz.net/ -- ------------------------------------------------------------ Roland Dobbins <[email protected]> // 818.535.5024 voice
|