Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Notepad.exe Accessing the Internet and Local Network ?

0 views
Skip to first unread message

Chip

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
I've got a two PC LAN - two NIC's and a crossover cable and I use
Notepad quite often from both systems to edit HTML etc for eBay ads,
what have you. Lately I've been getting notices from Zone Alarm
asking if I want to allow Notepad.exe to access the internet or to
access the local network ? I also notice my Floppy and CD Rom being
accessed on occasion without any input from myself ? I suspect some of
the CD-Rom / Floppy accesses are networking issues but am curious
about Notepad ?

TIA

Chip

Jeffrey A. Setaro

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
In article <39addf57...@news.usol.com>, chips...@hotmail.com
says...

Sounds like the W32/QAZ worm. See <http://www.f-secure.com/v-
descs/qaz.htm> for details.

> TIA
>

Your welcome. HTH.

--
Cheers-

Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99

Art Kopp

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
On Tue, 29 Aug 2000 16:12:16 GMT, chips...@hotmail.com (Chip) wrote:

>I've got a two PC LAN - two NIC's and a crossover cable and I use
>Notepad quite often from both systems to edit HTML etc for eBay ads,
>what have you. Lately I've been getting notices from Zone Alarm
>asking if I want to allow Notepad.exe to access the internet or to
>access the local network ? I also notice my Floppy and CD Rom being
>accessed on occasion without any input from myself ? I suspect some of
>the CD-Rom / Floppy accesses are networking issues but am curious
>about Notepad ?

This has been discussed very recently on alt.comp.virus
I don't recall details but you are infected by some new malware.
If you don't find the info you need there to get started, feel free to
email me .... I can probably get you steered to a solution. My email
address has only been smudged with one letter ... it is mindspring.

Art


Art Kopp

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
On Tue, 29 Aug 2000 16:12:16 GMT, chips...@hotmail.com (Chip) wrote:

>I've got a two PC LAN - two NIC's and a crossover cable and I use
>Notepad quite often from both systems to edit HTML etc for eBay ads,
>what have you. Lately I've been getting notices from Zone Alarm
>asking if I want to allow Notepad.exe to access the internet or to
>access the local network ? I also notice my Floppy and CD Rom being
>accessed on occasion without any input from myself ? I suspect some of
>the CD-Rom / Floppy accesses are networking issues but am curious
>about Notepad ?

Ok, I just checked alt.comp.virus and the subject line is:
URGENT: Notepad Virus ???

It is actually the QAZ Trojan and is not a virus. Look here for just
one description of many you can find:

http://www.cai.com/virusinfo/encyclopedia/descriptions/qaz.htm

Art


Chip

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
On Tue, 29 Aug 2000 12:19:39 -0400, Jeffrey A. Setaro
<jase...@sprynet.com> wrote:

>In article <39addf57...@news.usol.com>, chips...@hotmail.com
>says...

>> I've got a two PC LAN - two NIC's and a crossover cable and I use
>> Notepad quite often from both systems to edit HTML etc for eBay ads,
>> what have you. Lately I've been getting notices from Zone Alarm
>> asking if I want to allow Notepad.exe to access the internet or to
>> access the local network ? I also notice my Floppy and CD Rom being
>> accessed on occasion without any input from myself ? I suspect some of
>> the CD-Rom / Floppy accesses are networking issues but am curious
>> about Notepad ?
>>
>

>Sounds like the W32/QAZ worm. See <http://www.f-secure.com/v-
>descs/qaz.htm> for details.
>
>> TIA
>>
>
>Your welcome. HTH.

Thanks !

In the meantime I got curious and looked at notepad.exe and he had
chubbed out to about 118K instead of about 52K or so, so I deleted it
and began sniffing around and see that it's some kind of worm/trojan.
Thanks again and it was *great* that ZA alerted me or I'd not have
known to ask questions for sometime !!

Thanks again !

Chip

Chip

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
On Tue, 29 Aug 2000 16:41:02 GMT, art...@mindsprung.com (Art Kopp)
wrote:

>On Tue, 29 Aug 2000 16:12:16 GMT, chips...@hotmail.com (Chip) wrote:
>

>>I've got a two PC LAN - two NIC's and a crossover cable and I use
>>Notepad quite often from both systems to edit HTML etc for eBay ads,
>>what have you. Lately I've been getting notices from Zone Alarm
>>asking if I want to allow Notepad.exe to access the internet or to
>>access the local network ? I also notice my Floppy and CD Rom being
>>accessed on occasion without any input from myself ? I suspect some of
>>the CD-Rom / Floppy accesses are networking issues but am curious
>>about Notepad ?
>

>Ok, I just checked alt.comp.virus and the subject line is:
>URGENT: Notepad Virus ???
>
>It is actually the QAZ Trojan and is not a virus. Look here for just
>one description of many you can find:
>
> http://www.cai.com/virusinfo/encyclopedia/descriptions/qaz.htm
>
>Art

Thanks Art !! As I mentioned in a prior follow up I got suspicious of
Notepad.exe and deleted it but know I can further remove all traces.

Thanks Again !!

Regards

Chip

Eric G

unread,
Aug 29, 2000, 3:00:00 AM8/29/00
to
You definitely got the worm trojan. Both Mcafee and Symantec AV sites have
information regarding this virus. It also installs a back door on your
computer
and leaves a port open, to listen for instructions from the client.
I posted a similar notice on the shieldsup newsgroup at grc.com (100%
security inclined site) Zone Alarm caught this for me too, last week !!!
You will also have to remove an entry from the registry yourself as well and
manually get rid of notepad.exe (the virus file, registry also refers to
qazwsx file, hence the qaz worm name)
Good luck. It is easy to find info at the two virus sites.

Chip <chips...@hotmail.com> wrote in message
news:39addf57...@news.usol.com...


> I've got a two PC LAN - two NIC's and a crossover cable and I use
> Notepad quite often from both systems to edit HTML etc for eBay ads,
> what have you. Lately I've been getting notices from Zone Alarm
> asking if I want to allow Notepad.exe to access the internet or to
> access the local network ? I also notice my Floppy and CD Rom being
> accessed on occasion without any input from myself ? I suspect some of
> the CD-Rom / Floppy accesses are networking issues but am curious
> about Notepad ?
>

> TIA
>
> Chip

Matt Chiglinsky

unread,
Aug 29, 2000, 10:05:25 PM8/29/00
to
On Tue, 29 Aug 2000 18:21:13 GMT, Chip <chips...@hotmail.com> wrote:
>Thanks !
>
>In the meantime I got curious and looked at notepad.exe and he had
>chubbed out to about 118K instead of about 52K or so, so I deleted it
>and began sniffing around and see that it's some kind of worm/trojan.
>Thanks again and it was *great* that ZA alerted me or I'd not have
>known to ask questions for sometime !!


Just wait until someone becomes smart enough to put code in their
trojan to kill Zone Alarm when it's running. At that point you're
gonna need something better, like dated CRC or MD5 records of all your
files. Zone Alarm is "feel good" security. Someone pointed this out
to me a while ago. Win98 software firewalls can't be relied upon to
block trojans.

--

Matt S. Chiglinsky
MSC (no, those are my initials)
lo...@TheHeaderOfThisMessage.com

Art Kopp

unread,
Aug 30, 2000, 3:00:00 AM8/30/00
to
On 30 Aug 2000 02:05:25 GMT, chig...@mlb.acad.ece.udel.edu (Matt
Chiglinsky) wrote:

>Just wait until someone becomes smart enough to put code in their
>trojan to kill Zone Alarm when it's running. At that point you're
>gonna need something better, like dated CRC or MD5 records of all your
>files. Zone Alarm is "feel good" security. Someone pointed this out
>to me a while ago. Win98 software firewalls can't be relied upon to
>block trojans.

Certain popular antivirus products have been targets to be disabled by
some malware as well. They are also quite imperfect and cannot be
relied upon to protect you from yourself. Only following safe hex
rules and having backups will gain you a large measure of security.

Third party products are less likely to be targeted, BTW, than M$
products, and look at the many firewalls available to be targeted. I'd
be much more concerned if it was a M$ firewall :)

I wouldn't be without both a couple of good antivirus scanners and a
good firewall like Zone Alarm. It is a simple matter to bop over to
Steve Gibson's site from time to time and make sure ZA is still
working ok. It is all a matter of reducing the chances of infection
with these products. But over-reliance on them is naive, and I think
that is the point.

Also, I would encourage certain people to use a product like ZA just
to learn about possible 'benign' apps on their machine trying to
access the internet. That alone is worth it IMO. I don't want anything
doing that without my knowledge and permission.

Art


Shawn

unread,
Aug 31, 2000, 10:28:05 AM8/31/00
to
On 30 Aug 2000 02:05:25 GMT, chig...@mlb.acad.ece.udel.edu (Matt
Chiglinsky) wrote:


>Just wait until someone becomes smart enough to put code in their
>trojan to kill Zone Alarm when it's running. At that point you're
>gonna need something better, like dated CRC or MD5 records of all your
>files. Zone Alarm is "feel good" security. Someone pointed this out
>to me a while ago. Win98 software firewalls can't be relied upon to
>block trojans.

How about Moosoft Cleaner?
Shawn
shaw...@netscape.net

0 new messages