W32.HLLW.Qaz.A was first discovered in China in July of 2000. W32.HLLW.Qaz.A is a companion virus that can spread over the network and also has a backdoor that lets a remote hacker connect to and control the computer via port 7597. Since the virus does not have the ability to spread to computers outside the network, the virus might have originally been spammed out by email.

W32.HLLW.Qaz.A was renamed from Qaz.Trojan on August 10, 2000. As of September 14, there are at least four variants of the original virus.

Also known as: Qaz.Trojan, Qaz.Worm, W32.HLLW.Qaz (gen)

Category: Virus

Infection length: 120320, 119296, 120297, 122880

Virus definitions: July 18, 2000


Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Easy


Damage:

Payload Trigger: Each time the virus is executed
Payload: Creates a backdoor on the computer
Modifies files: Renames notepad.exe to note.com
Releases confidential information: Emails the infected computer's IP address to the hacker and also creates a backdoor to the computer
Compromises security settings: Allows unauthorized access to the computer
Distribution

Ports: Listens for incoming TCP/IP connections on port 7597
Target of infection: Notepad.exe


Technical Description:

W32.HLLW.Qaz.A is a Win32 companion virus with the ability to spread over the network and also create a backdoor. When the virus is launched
it searches available network drives for a copies of notepad.exe and renames them to note.com. It then copies itself (virus code) across the
network to the infected computers as notepad.exe. Each time notepad.exe is executed it runs the virus code and the original notepad
(renamed to note.com) to avoid being noticed. It also modifies the following system registry entry to execute itself every time the system is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run "StartIE"="C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq"

W32.HLLW.Qaz.A enumerates through the network neighborhood to find computers to infect. When it finds a computer, it infects it by searching for notepad.exe
and making the same modifications (renaming notepad.exe to note.com). It does not require any mapped drives to infect other computers. Once the computer is
infected, the computer's IP address is emailed to the virus author automatically. The backdoor payload in the virus uses WinSock and awaits connections.
This lets a hacker connect to the infected computer and gain access to the computer.

Removal:

To remove this trojan:


(1)  Remove the following registry key:
HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run "StartIE"="C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq"

(2)  Restart the computer.

(3)Scan with Norton AntiVirus and delete all files detected as W32.HLLW.Qaz.A, Qaz.Trojan, or W32.HLLW.Qaz (gen).

(4)  Search for a file called note.com and rename it to notepad.exe.

(5)  Scan all other computers on the network to find all other infections and repeat the above steps if infections are found.

(6)  Password-protect or unshare word-writable shares to prevent future infections.