myNetWatchman   KnowledgeBase

Pooling knowledge to
secure the internet.


mNW Reports  FAQ: mNW Reports




(Registered Users Only)


Look Up Incidents by IP Address
 

 

Article: 20000903-001
Title: QaZ Trojan/Worm
Created: 09/03/2000
Modified: 09/03/2000
Author: L. Baldwin

Summary:

QaZ is a trojan/worm which was acknowledged by several anti-virus providers::

Symantec

Mcafee

Trend Micro

All three of the above sources don't treat QaZ as a major threat. There are three important aspects of QaZ which are "glossed over" which makes QaZ more serious.

Infection Method:

First QaZ spreads not by examining hosts listed in the victim's "network neighborhood" but by scanning all hosts in the last two octets of the victim's IP address. For example, if the victim's IP address is X.Y.?.?, then all hosts in X.Y.*.* are scanned. New QaZ strains also seem to scan X.Y-2.*.* -> X.Y+2.*.*. Any host in these IP ranges with an open share will then be infected. I am currently aware of 3 major DSL/Cable providers whose users are infected with QaZ totaling nearly 1000 users.

Cross Pollination:

If the infected address range (e.g. 1.1.*.*) is not completely owned by a single ISP, then infection will spread to all ISPs using the range.

If an infected provider use dynamic IP addressing then QaZ will spread to ALL major networks that are use in common IP pools. For example, if a DSL router has a pool with IP addresses of (1.1.x.y, 1.2.x.y, 1.3.x.y, 1.4.x.y) then ALL hosts in 1.1.*.*, 1.2.*.*, 1.3.*.*, and 1.4.*.* will eventually be infected. First an infected user connects and gets an IP address of 1.1.1.1, then infects all users in 1.1.*.*. User then disconnects and reconnects, this time being assigned an IP address of 1.2.1.1, then infects all users in 1.2.*.*, etc.

Infected users may also have dial-up account with multiple providers. This can result in the virus spreading from provider to provider!

QaZ "calls home":

Periodically, QaZ emails its list infected IP addresses to a mail server in China (202.106.185.107, presumably a hacked system as well). If whoever is collecting all these IPs ever got around to doing anything with these lists, major damage could be done (e.g. delete all open shares, launch DDoS attack, etc.).

The root issue that QaZ highlights is that a significant number of Internet users still have wide-open Microsoft networking shares. This problem should be a call-to-arms for service providers to reinvigorate their efforts to educate users on procedures to lock-down Microsoft networking.

Infection Graphs

© 2000 myNetWatchman.com. All Rights Reserved.