Signature Detail

Short Name	TROJAN:QAZ:TCP139-SCAN
Severity	High
Recommended	No
Recommended Action	Drop
Category	TROJAN
Keywords	QAZ
Release Date	2003/04/22
Update Number	1213
Supported Platforms	idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

TROJAN: QAZ TCP/139 Scan

This signature detects TCP packets sent from a remote system to local server port 139. This can indicate an attacker is attempting to scan the network for the Trojan/Worm QAZ. The QAZ Trojan/Worm, famous for infecting the Microsoft network October 2000, allows attackers to access data and gain control over some functions on remote Microsoft Windows systems.

Extended Description

Qaz is a worm. It spreads via NetBIOS, modifies the registry, changes the Notepad executable file, and opens a backdoor for further attacks.

References

CVE: CVE-1999-0660
URL: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
URL: http://vil.nai.com/vil/content/v_98775.htm
URL: http://www.f-secure.com/v-descs/qaz.shtml

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

TROJAN: QAZ TCP/139 Scan

Extended Description

References