Hey, that's just what I heard on MS-NBC. Also, if you read the text I included, the Feb article is actually a set of recommendations on an older, similar case. -----Original Message----- From: Eduardo Carriles [mailto:eduardo.carriles@teleline.es] Sent: Friday, October 27, 2000 4:26 PM To: SuSE Security Mail List Subject: Re: [suse-security] Microsoft Hacked!!!!! Hi Mike and friends all, Greets, [read below...] ---- Mike Johnson wrote:
It was the Qaz.worm virus. We got hit a couple of weeks ago because the company brass likes to open every single email attachment they get....
I've been busy changing passwords all week.
Here's what CERT said about it:
QAZ Worm The QAZ Worm is a trojan that has been spreading on the Internet for several weeks. This worm exploits unprotected windows networking shares similar to the network.vbs worm as discussed in CERT Incident Note IN-2000-02 IN-2000-02, Exploitation of Unprotected Windows Networking Shares The QAZ worm searches for shared drives where \\Windows\Notepad.exe is available. Once the worm finds an unprotected share with notepad.exe available, it copies itself to the machine and modifies the registry to insure that it is run every time Windows is restarted. When the machine is rebooted the worm renames the original notepad.exe to note.com and copies itself in place as notepad.exe. Users are encouraged to follow the advice in IN-2000-02 for securing Windows networking shares. Additional information about these viruses and others can be found by visiting the sites listed on our Computer Virus Resources page.
I found that it didn't necessarily need a windows share with notepad available.
Come on, no one will believe that $MS was caught on this. It is stupid and not new, as you can guess by CERTs IN-2000-02 [feb2000_is_old(tm)] This was much more extensive. [stolen sources included, humans ahead] not a blind virus. They caught them dead. Just my 2 cents on it. =:`8) Good try with your [QAZ Worm], but it won't work on them, they ain't stupid. (thought...)
- Mike Johnson
-----Original Message----- From: Eduardo Carriles [mailto:eduardo.carriles@teleline.es] [snip...]
-- HTH Best regards, Eduardo Carriles [-- Better a smile than a flame --] (Long time SuSE-Linux [preferred distro] user). [-- Se me nota mucho? -- Notices me much?] [-- Have a lot of fun...] --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com