Virus Database

Worm.Qaz

Description Worm.Qaz

This is a network worm spreading under the Win32 systems with backdoor abilities. This worm was reported "in the wild" in July--August 2000. The worm itself is in a Win32 executable file about 120K in length, written in MS Visual C++.
When an infected file is executed, the worm registers itself in the Windows registry in the auto-start section:
HRLMSOFTWAREMicrosoftWindowsCurrentVersionRun startIE = "filename qazwsx.hsq"
where "filename" is the name of the worm's file (usually - "Notepad.exe", see below). As a result, the worm will be activated each time Windows starts up.
The worm then stays in the system memory as an application (visible in task list) and runs two processes: spreading and backdoor.
The spreading process spreads the worm copy through the local network to drives that are shared for reading/writing. The worm enumerates the network resources and looks for a "WIN" string in their names. If such a string is present in the name (i.e., that is Windows directory on remote computer), the worm looks for NOTEPAD.EXE in there, renames it with NOTE.COM and writes its copy with the NOTEPAD.EXE name.
As a result, on the affected machine, the original NOTEPAD.EXE can be found with the NOTE.COM name (it is used by the worm to run the original Notepad when the worm completes its routines), and the worm's code is present in the NOTEPAD.EXE file. The worm will be activated at the moment a user runs Notepad on the affected machine.
The backdoor routine is quite simple. It supports just a few commands: Run (to run specified file), Upload (to create a file on affected machine) and Quit (terminate the worm routines). There are just three commands, but that is enough to install any other (more powerful) backdoor or any other Trojan/virus on the machine.
The worm also sends a notification to its "host" (worm author?). This is an e-mail message sent to some address in China. The message contains the IP address(es) of the infected machine.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.TheEraser

Description Macro.Word.TheEraser

The virus contains two macros: AutoOpen, TheEraser. It replicates on documents opening (AutoOpen).
On the 5th of any month it erases the files:
C:Windows*.exe
C:Windows*.com
C:Windows*.sys
C:Dos*.exe
C:Dos*.com
C:Dos*.sys
C:Dos*.exe
C:*.com
C:*.sys

Then it inserts the following text into the current document:
You've just been erased!!!
- The Eraser

The virus also contains the comments:
The Eraser Word 95 Virus
designed this 17th day of April, 1998
at 10:30 in the evening
here in the country of the Philippines

Macro.Word.Thery

Description Macro.Word.Thery

This virus contains only one macro AutoClose and replicates on closing files. It deletes the macros that are named "virus111". It contains the comments:
VirusMacroWord du Bureau Informatique du SIRPA
Virus Anti Virus du 14 juillet 1997
v0.1b - Sgt THERY - 18/07/97

Home