Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Qaz

Aliases: Win32.HLLW.Qaz, Worm.Qaz, W32/QAZ.worm

Win32/Qaz is a worm written in Microsoft Visual C++.  Its size is 120320 bytes.  The worm operates in the environment of the operating system Windows and is able to spread by means of the local computer network.  The worm contains a code which enables remote control of the infected computer.
After it is run the worm Win32/Qaz creates an item "startIE" with the value "name of the file with the worm qazwsx.hsq" in the system registry in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.  Doing so, the virus ensures its activation after the operating system is started.  While the worm is active in memory it runs two processes.
The worm searches through shared disks and looks for the string "WIN" in the path.  If it finds a directory like that it checks for the presence of the file notepad.exe in it.  It renames the file to note.exe a copies itself into the file notepad.exe.  If someone executes the file notepad.exe on such a computer connected to the network the computer will be infected by the worm.
The second activity of the worm is the following: the worm can write a file from the Internet to the attacked computer, execute such a file or terminate the execution of the worm remotely.  The worm sends an email message to its author.  The message contains the IP address of the attacked system to allow the author to use that feature.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.