November 9, 2000
A number of anti-virus vendors, including Trend Micro and Computer Associates,
have warned of a virus with a new approach. It is known variously as QAZ.TROJAN
or QAZ.WORM, and was officially renamed to W32.HLLW.Qaz.A in September.
The virus enters via unprotected shared drives and replaces the Notepad.Exe
application (there have been occasions where Notepad was not the victim).
The virus then provides a backdoor to outside intruders, in effect giving
them remote control over the computer that has been infected.
to Simon Perry, vice president of security solutions at Computer Associates,
"While CA's InoculateIT (based on a product acquired from Cheyenne) has
provided protection against Qaz.Trojan since August, the Microsoft attack
underscores the requirement for users to ensure that virus signatures
are maintained to avoid critical data being hijacked." (A Microsoft spokesman
issued a press release on October 27 stating that "no source code was
compromised" during the virus attack.)
that the drive does not have to be "mapped" to any other machines, the
virus will spread to any machine it finds where the windows directory
once the machine is infected, the virus attempts to send the infected
computer's IP address to an e-mail address in China. You never know where
these viruses will come from, Bulgaria used to be a very popular germination
This event simply underscores the importance of eternal vigilance on the
part of system administrators and PC users. Education may prove to be
the key, since many people do not know that:
software virus identification strings do not update themselves. Thus,
the machine is susceptible to newer variants of the original virus ("QAZ"
already has at least four variants). The cure for this problem is that
most current anti-virus software will automatically either dial in to
the vendor or connect via the Internet and update the strings on a scheduled
basis. Unfortunately, this is often defeated because users don't have
a persistent Internet connection, or turn off the machine during the
period during which it is scheduled to update.
users turn off the anti-virus software because they believe it slows
down their machine. This can be resolved by settings in the anti-virus
software as to what file extensions should be examined during the scan.
We will not list all the permutations here, but at the least, data files
should only be scanned monthly (.TXT, .WRI, etc.).
users do not have anti-virus software installed at all! Too expensive,
don't see the need, the list is virtually endless. Users should purchase
and install anti-virus software on every machine they control. The software
should be able to detect viruses that are still "in the wild". Many new
viruses are written and distributed every day. An "in the wild" virus
is one which has been discovered but not yet cured, or the cure has not
yet been distributed.
Here are some suggestions to protect your machines. They mostly pertain
to this specific virus and are not comprehensive. The user community should
observe the following rules as if they were written in stone:
share the Windows directory or the root of the C drive (or the root
of any other drive for that matter).
- Any shared
drives which you do allow should have specific permissions for specific
users and an assigned password.
your virus strings from your anti-virus vendor at least weekly.
- USE your
the manual and/or on-line documentation which comes with your anti-virus
software. It contains many more useful tips to protect your data.
the available anti-virus products before you purchase. Where possible,
choose a package with heuristic capabilities (the product does not only
search for strings, it also watches for virus behaviors). A short list
of vendors to be considered would be Computer Associates, F-Secure, Network
Associates (3 different packages), Norman, Symantec (which now owns Norton
Anti-Virus, currently the best selling package on the market), and Trend