[31607] in North American Network Operators' Group
Re: Disabling QAZ (was Re: Port 139 scans)
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri Sep 29 20:24:14 2000
Message-ID: <39D52F9D.E63E5A84@netmore.net>
Date: Fri, 29 Sep 2000 17:11:09 -0700
From: Roland Dobbins <rdobbins@netmore.net>
Reply-To: rdobbins@netmore.net
MIME-Version: 1.0
To: Ben Browning <benb@oz.net>
Cc: Dana Hudes <dhudes@hudes.org>, nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Can't you just download a .reg file to the luser and instruct him to
click on it? Or use one of the well-known SMB/CIFS exploits to make it
execute your code - i.e., the .reg file?
Also, variants I've seen replace NOTEPAD.EXE with a hacked version -
they merely rename the real NOTEPAD.EXE, then substitute a larger one,
for what it's worth.
Ben Browning wrote:
>
> At 05:02 PM 9/29/00 -0400, Dana Hudes wrote:
> >I am willing to scrap together a script to shutdown the virus on an
> >infected machine and put it in a CGI web page.
>
> Well, that solves the problem until the reboot. After that, the registry
> key opens that puppy right back up.
>
> The trick is to gut it COMPLETELY.
>
> This virus supposedly supports three commands : upload, run and quit. I
> can't get upload to work, and I lost the manpage(ha, ha). It is possible
> to upload a file (perhaps compiled c?) that rips out the registry entry
> and renames the appropriate files on reboot. In fact, one could (legality
> aside) write up the program to use QAZ as the delivery mechanism for its
> own death. There's something poetic about that...
>
> I have a copy of the worm zipped here- if you'd like it drop me a private
> email.
>
> >I'm not sure about volume but initially I think I can host it. In the
> >event my 1Mbit connection is overwhelmed I'll need another place....
> >What stops me at the moment is that I have no authorization to test
> >against any infected machine.
> >I need a target.
>
> I'd offer mine, but I have it isolated.
>
> >I'm willing to also try for making the connection to the share and
> >removing the infection but I'm not sure I can get it in time.
> >At least a shutdown page would do something.
>
> Half measures merely delay the inevitable- I believe it is best to expunge
> it right off the bat and never have to deal with the recurrences.
>
> >I will start writing my code and await direct e-mail with authorization
> >and a target IP address to test against.
> >Note that I have plenty of potential test targets in my Samba logs :-( but
> >no legal authority to connect to those machines.
>
> My current thought is to simply put up a .reg and .bat file up on the web,
> with instructions on how to use it. Run the .reg to kill the registry key,
> and run the .bat file to rename the files after the reboot. Of course, it
> may be easier to simply have a standard email explaining the virus and the
> removal procedure (my current solution, if anyone wants a copy of the
> email drop me a line). I will stick with this approach unless the script
> fully removes (as opposed to temporarily disabling) the virus.
>
> Another interesting note- the virus will not allow your computer to reboot
> if someone is connected to the telnet port.
>
> On a side note, if anyone knows a good logfile parsing perl script that
> pulls out all the IP addresses in a log, I'd love a copy. I have one, but
> it is very clunky and I daresay a better perl coder than I has tackled this
> issue. I only ask because this worm has increased the number of other
> peoples(variously formatted) logfiles in my inbox by about 900%. :)
>
> ---
> Ben Browning <benb@oz.net>
> oz.net Network Operations
> Tel (206) 443-8000 Fax (206) 443-0500
> http://www.oz.net/
--
------------------------------------------------------------
Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
