Another Type Of Virus Hits The World (And Gets Microsoft No Less)

  • Written By: M. Reed
  • Published: November 9 2000

Another Type Of Virus Hits The World (And Gets Microsoft No Less)
M. Reed - November 9, 2000

Event Summary

A number of anti-virus vendors, including Trend Micro and Computer Associates, have warned of a virus with a new approach. It is known variously as QAZ.TROJAN or QAZ.WORM, and was officially renamed to W32.HLLW.Qaz.A in September. The virus enters via unprotected shared drives and replaces the Notepad.Exe application (there have been occasions where Notepad was not the victim). The virus then provides a backdoor to outside intruders, in effect giving them remote control over the computer that has been infected.

According to Simon Perry, vice president of security solutions at Computer Associates, "While CA's InoculateIT (based on a product acquired from Cheyenne) has provided protection against Qaz.Trojan since August, the Microsoft attack underscores the requirement for users to ensure that virus signatures are maintained to avoid critical data being hijacked." (A Microsoft spokesman issued a press release on October 27 stating that "no source code was compromised" during the virus attack.)

Note that the drive does not have to be "mapped" to any other machines, the virus will spread to any machine it finds where the windows directory is shared.

Interestingly, once the machine is infected, the virus attempts to send the infected computer's IP address to an e-mail address in China. You never know where these viruses will come from, Bulgaria used to be a very popular germination site.

Market Impact

This event simply underscores the importance of eternal vigilance on the part of system administrators and PC users. Education may prove to be the key, since many people do not know that:

  • Anti-virus software virus identification strings do not update themselves. Thus, the machine is susceptible to newer variants of the original virus ("QAZ" already has at least four variants). The cure for this problem is that most current anti-virus software will automatically either dial in to the vendor or connect via the Internet and update the strings on a scheduled basis. Unfortunately, this is often defeated because users don't have a persistent Internet connection, or turn off the machine during the period during which it is scheduled to update.

  • Many users turn off the anti-virus software because they believe it slows down their machine. This can be resolved by settings in the anti-virus software as to what file extensions should be examined during the scan. We will not list all the permutations here, but at the least, data files should only be scanned monthly (.TXT, .WRI, etc.).

However many users do not have anti-virus software installed at all! Too expensive, don't see the need, the list is virtually endless. Users should purchase and install anti-virus software on every machine they control. The software should be able to detect viruses that are still "in the wild". Many new viruses are written and distributed every day. An "in the wild" virus is one which has been discovered but not yet cured, or the cure has not yet been distributed.

User Recommendations

Here are some suggestions to protect your machines. They mostly pertain to this specific virus and are not comprehensive. The user community should observe the following rules as if they were written in stone:

  1. NEVER share the Windows directory or the root of the C drive (or the root of any other drive for that matter).

  2. Any shared drives which you do allow should have specific permissions for specific users and an assigned password.

  3. Update your virus strings from your anti-virus vendor at least weekly.

  4. USE your anti-virus software!

  5. Read the manual and/or on-line documentation which comes with your anti-virus software. It contains many more useful tips to protect your data.

Evaluate the available anti-virus products before you purchase. Where possible, choose a package with heuristic capabilities (the product does not only search for strings, it also watches for virus behaviors). A short list of vendors to be considered would be Computer Associates, F-Secure, Network Associates (3 different packages), Norman, Symantec (which now owns Norton Anti-Virus, currently the best selling package on the market), and Trend Micro.

comments powered by Disqus