[Snort-sigs] SID 108

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Fri Mar 1 11:12:17 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login
access"; flags: A+; content:"|71 61 7a 77 73 78 2e 68 73 71|";
reference:MCAFEE,98775; sid:108; classtype:misc-activity; rev:3;)
The QAZ worm, is a trojan/backdoor program which propagates itself through worm
activity over the local network. The worm contacts a single outside IP address,
and lets the user upload and run any program. This is usually enough to install a
more flexible backdoor or information gathering program.
The impact is similar to any other backdoor program, in so much that it could lead
to a larger compromise. This worm communicates its information with a single host,
presumably somewhere in China. This does not mean only one user sees the
information however.
Detailed Information:
When installed, the worm listens on port 7597 for instructions from the client.
When executed, the worm browses for network connections that allow write access
without a password, to windows folders over NetBIOS. The worm then copies itself
to NOTEPAD.EXE and copies the old NOTEPAD.EXE to NOTE.COM. When notepad is run,
NOTES.COM is run and the worm is executed. After reboot, the machine is ready to
go.   The backdoor then communicates with, which is located
physically in China.
Attack Scenarios:
Essentially, this is a worm like any other. It is to be noted, that the worm is
only a small piece of the puzzle, and the true intent of this malware is to
install a backdoor. Once hackers have this backdoor, they can install more
sophisticated backdoors and programs, and use the machine to compromise the rest
of the network.
Ease of Attack:

False Positives:
The signature could be triggered by innocent internet use, but it is unlikly.
False Negatives:

Corrective Action:
Corrective action is variable depending on the platform used. The correct
procedures for removing the worm/backdoor can be obtained from any virus site.
Christopher Lubrecht chris_lubrecht at ...382...
Additional References:



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list