What Is the QAZ Network Worm? - Threat Picture (2024)

What Is the QAZ Network Worm? - Threat Picture (1)

By Charles Joseph | Cybersecurity Researcher

What Is the QAZ Network Worm? - Threat Picture (2)

Published onAugust 3rd, 2023

This post was updated on February 29th, 2024

QAZ is a type of computer worm that’s known for its ability to spread quickly and steal user account details from the infected system. It enters the system disguised as a harmless program, often through email attachments, software downloads, or via network connections. When executed, the worm multiplies and infects other systems, often leading to performance slowdowns or crashes.

Technical Overview

QAZ is a network worm that proliferates under Win32 systems, possessing backdoor capabilities. It was first reported as being “in the wild” during the months of July and August 2000. The worm exists within a Win32 executable file approximately 120K in size, crafted in MS Visual C++.

Thank you for signing up, we'll be in contact soon.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.

Upon executing the infected file, the worm adds itself to the Windows registry’s auto-start section:

KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startIE
VALUE: “filename qazwsx.hsq”

In the above path, “filename” refers to the name of the worm’s file, usually “Notepad.exe”. This action ensures the worm is activated whenever Windows boots up.

After activation, the worm resides in the system’s memory as an application, visible in the task list, and initiates two processes: propagation and backdoor.

The propagation process involves disseminating a copy of the worm across the local network to drives that are set to allow reading/writing. The worm scans network resources for the “WIN” string in their names. If this string is detected (which usually indicates the Windows directory on a remote computer), the worm locates NOTEPAD.EXE, renames it as NOTE.COM, and deposits its copy as NOTEPAD.EXE.

Consequently, on the affected machine, the original NOTEPAD.EXE is renamed as NOTE.COM, which the worm uses to activate the original Notepad after its processes are complete, and the worm’s code replaces the NOTEPAD.EXE file. The worm becomes active when a user opens Notepad on the affected machine.

The worm’s backdoor routine is relatively straightforward. It only supports a few commands: Run (to execute a specified file), Upload (to generate a file on the affected machine), and Quit (to stop the worm processes). While there are only three commands, these are sufficient to install a more robust backdoor or any other Trojan/virus on the system.

Finally, the worm sends a notification, possibly to its author. This involves an e-mail sent to a particular address in China containing the IP address(es) of the infected machine.

QAZ Examples

1. Email Threat

A common way that the QAZ worm infects a computer system is through seemingly innocuous email attachments. It’s often a bogus email with an impressive-looking attachment labeled as “urgent” or “must-see.” But lurking in this attachment is the QAZ worm.

Once the user downloads and opens the attachment, the QAZ worm gets activated. Immediately, it starts to spread its tentacles far and wide, infecting other files and programs on their system. This not only damages the system files but also slows down their operations, often leaving the user confused as to the cause of their sudden computer troubles.

Moreover, the worm has the malicious ability to steal user account details, thereby compromising personal security. It’s an example that underlines the importance of not clicking on or downloading attachments from any suspicious or unknown emails.

2. Gaming Application

Another way the QAZ worm can wreak havoc is through gaming applications, particularly those sourced from untrustworthy websites. Suppose a gamer tries to save money by downloading a free version of a popular game from an unsafe platform. Unbeknownst to them, the QAZ worm is bundled with the game download.

Once the game is installed, the QAZ worm is also activated alongside it. It now begins to perform its malicious activities. It starts gathering user data like personal information and gaming credentials, which it silently transmits back to the cyber attacker controlling it.

Over time, the gamer may start noticing odd behavior in their computer system, such as frequent crashes, unusually slow response times, or random pop-up messages. The QAZ worm quietly running in the background is the source of these anomalies, demonstrating the risks of downloading software from untrusted sources.

3. Infected Network

The QAZ worm’s capacity to infiltrate and infect large systems becomes evident when it enters a company’s network. This typically happens because of an error by an employee, who may open an infected file on the shared network, unintentionally activating the QAZ worm.

The worm is then set loose within the network, propagating quickly and affecting all devices connected to it. This progressive infection may result in network congestion, frequent system freezing, or even sudden, unexplained system reboots. The affected computers can experience significant slowdowns, disrupting important work processes within the company.

In addition to these visible issues, the QAZ worm also silently gathers business-critical information. It can retrieve confidential company data and pass it on to the cyber criminals controlling it. This makes a solid case for why businesses need to invest in robust network security practices and educate their employees about the potential risks of unknown files and emails.


The QAZ worm illustrates the subtle yet potent threat that cyber attackers can pose to individuals and businesses. It’s essential to exercise caution with email attachments, software downloads, and network file sharing, along with maintaining up-to-date security measures to mitigate such risks.

Key Takeaways

  • QAZ is a worm that infects computer systems, usually entering through email attachments or downloaded software.
  • Once active on a system, the QAZ worm can infect files, slow down operations, and steal user account information.
  • Unsuspecting users often get tricked into downloading the QAZ worm, thinking they’re getting a harmless file or a useful program.
  • This worm can cause significant damage when it enters a network, affecting all connected devices and potentially stealing confidential data.
  • Preventive measures, like not clicking on suspicious emails, avoiding software from untrusted sources, and maintaining up-to-date security systems, can help guard against the QAZ worm.

Related Questions

1. What does the QAZ worm do after entering a computer system?

Once active, the QAZ worm spreads itself, infecting other files and programs. It can slow down system operations, damage files, and retrieve user account details, posing a serious threat to personal or company data.

2. How can I protect my computer from the QAZ worm?

Keeping your system’s security measures updated, not clicking on suspicious emails or attachments, and only downloading software from trusted sources can help protect your system from threats like the QAZ worm.

3. How does the QAZ worm spread?

The QAZ worm uses networks to propagate. If it enters a network, it can quickly infect all devices connected to it.

4. What happens if the QAZ worm infects a business network?

If a business network gets infected by the QAZ worm, it can lead to network congestion, system freezes, and sudden reboots. In addition, it has the potential to steal and transmit confidential data, leading to severe security breaches.

5. Is the QAZ worm detectable by anti-virus software?

Yes, many anti-virus programs have the capability to detect and remove the QAZ worm. However, it’s crucial to keep the anti-virus software up-to-date as cyber threats constantly evolve.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional

Related Posts:

  • What Is a Computer Worm?
  • Trojan Horse: Can It Be Detected before It’s Too Late?
  • What Is a Computer Virus?
What Is the QAZ Network Worm? - Threat Picture (2024)


What Is the QAZ Network Worm? - Threat Picture? ›

QAZ is a type of computer worm that's known for its ability to spread quickly and steal user account details from the infected system. It enters the system disguised as a harmless program, often through email attachments, software downloads, or via network connections.

What is a worm in network security? ›

A worm is a type of malware or malicious software that can replicate rapidly and spread across devices within a network. As it spreads, a worm consumes bandwidth, overloading infected systems and making them unreliable or unavailable.

Is a worm a virus? ›

Worm Virus Definition

Worms consume large volumes of memory, as well as bandwidth. This results in servers, individual systems, and networks getting overloaded and malfunctioning. A worm is different from a virus, however, because a worm can operate on its own while a virus needs a host computer.

Are computer worms still around? ›

Several governments are also starting to take measures. There are still ways to get infected with a computer worm, but the good news is that there are also ways to prevent it. Your best defense is always to have an updated anti-virus program and keep your firewalls up to date.

What does worm stand for in computer terms? ›

When used in all capital letters, WORM is an acronym for write once, read many, an optical disk technology that allows you to write data onto a disk just once. After that, the data is permanent and can be read any number of times.

What are 5 examples of worms? ›

Worms are members of several invertebrate phyla, including Platyhelminthes (flatworms), Annelida (segmented worms), Nemertea (ribbon worms), Nematoda (roundworms, pinworms, etc.), Sipuncula (peanutworms), Echiura (spoonworms), Acanthocephala (spiny-headed worms), Pogonophora (beardworms), and Chaetognatha (arrowworms).

What does a worm do to your computer? ›

Worms can modify and delete files, and they can even inject additional malicious software onto a computer. Sometimes a computer worm's purpose is only to make copies of itself over and over — depleting system resources, such as hard drive space or bandwidth, by overloading a shared network.

Can you remove worm virus? ›

You can do this using an antivirus program. There are several available for both Mac and PC that will allow you to download them and run a free scan. Some will also remove the worm for free, while with others, you'll need to pay to download the full version of the software.

What is an example of a worm in a computer? ›

ILOVEYOU: The ILOVEYOU worm infected tens of millions of computers globally, resulting in billions of dollars in damage. Mydoom: This became the fastest-spreading email worm in 2004, sending junk email across computers. Ryuk: Although Ryuk wasn't always a worm, it's now worm-like ransomware.

What are the threats of worms? ›

Worms pose various threats and risks in cybersecurity. They can consume bandwidth and other system resources, leading to system instability and potentially causing a network to crash. They can also create security flaws, allowing other malicious programs to infect a system.

What is the best defense against computer worms? ›

Firewall: Given the ability of computer worms to spread through networks, an antivirus with a built-in firewall is ideal. If there's an infected device in your network, the firewall prevents the worm from entering your other devices.

What is the deadliest computer worm? ›

Mydoom. Mydoom is arguably the worst malware in history, causing more than $38 billion worth of damages in 2004.

How can you avoid worms? ›

How to prevent worm infections
  1. wash your hands before eating or preparing food, and after touching soil or using the toilet.
  2. only drink bottled or boiled water in high-risk areas (places without modern toilets or sewage systems)
  3. deworm pet dogs and cats regularly.
  4. dispose of dog and cat poo in a bin as soon as possible.
Nov 30, 2022

What is the risk of a computer worm? ›

Worms typically cause harm to their host networks by consuming bandwidth and overloading web servers. Computer worms can also contain “payloads” that damage host computers.

What is the malware that is believed to be the first? ›

Brain virus (1986)

The earliest example is Elk Cloner, which was created by a 15-year-old as a prank and infected Apple II computers. But probably the most important of this generation of viruses was one that came to be known as Brain, and started spreading worldwide in 1986.

Is A worm a virus or malware? ›

All worms are malware, but malware can also encompass threats like Trojans, spyware, ransomware, and viruses.

What does a worm do? ›

Earthworms loosen, mix and oxygenate the soil as they burrow channels. They improve the soil's structure, leaving space for water to be drained away from the surface and stored in the soil. Research has shown that soils without earthworms can be 90 percent less effective at soaking up water.

What is the difference between a virus and a worm in security? ›

A worm can replicate and spread itself from one computer to another. On the other hand, a virus cannot self-replicate, and it needs to be sent by a user or software to travel between two different computers.

What is the difference between a worm and a spyware? ›

A Worm is a form of malware that replicates itself and can spread to different computers via Network. Spyware is a form of malware designed to collect your personal information. The main objective of worms to eat the system resources. The main objective of the spyware is to monitor the activity of the system.

What happens when you get worms? ›

If you have intestinal parasites, you may have digestive symptoms, including abdominal pain and diarrhea. Untreated, worms may cause complications. Intestinal worms, also known as parasitic worms, are one of the main types of intestinal parasites in humans.

Top Articles
Latest Posts
Article information

Author: Frankie Dare

Last Updated:

Views: 5905

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.