Possible Trojan ??????

I'm new here, so I didn't know where to post this so sorry if this is the wrong place.
Anyway, I just installed Zone Alarm 2 (since it is free for pers use) and when I did I got very strange results, about every five minutes notepad tries to access the internet at ip (202.106.185.107:25 this is on the APNIC2 registered to CHINANET Beijing province network, already checked). So I updated my McAfee to latest dats and engine but it found nothing, I spend the money and purchased Norton as well as a second check and updated it as well, and still nothing. So as far as the two major virus progs are concerned my sys is clean, but I don't believe it.
I then got to thinking, would there be a way to write a prog to trap any calls to notepad, and see what was calling it and what was being sent. Right now I have notepad disabled from connecting to the internet, and warning me each time it does, but I can not get it to show me what it is trying to send. I think that this might be possible to capture and show with an API call, but I am not an expert at VB by any means and less knowledgable about API.

Thanks in advance for any info or hints.

Hmm strange..... definetly strange... it might be


I have zonealarm as well...and what i think it is, see zonealarm has a option to auotmatically log all the "suspicsous activities" that might be going on to notepad, that might be it.

To find out if it is a trojan that is trying to connect to it's server..you might want to download "blackICE" from

http://www.networkice.com

it has a built in feature that tells you if someone has tried to scan a certain port for a trojan.

thanks for the blackice tip, checking it now. I don't think it is the longing thing because I have it log everyting right now (paranoia, maybe) and the log file and notepad ip access aren't at the same time. BTW here is a copy of the notepad access log (PE,2000/09/14,06:53:24 -6:00 GMT,NOTEPAD.EXE,202.106.185.107:25,N/A) I really have tried to think about this one before bugging everybody, thanks again though

Have you checked your regestry ? in the run/runonce areas?

Cause if there is a trojan..it might be there.

[CyberSurfer]

Zone Alarm is actually a very dangerous program. It holds open the TCP/IP port and tells you if someone attempts to pass through. Zone Alarm does NOT prevent people from doing this effectively, as I proved with my friend, when we tested Back Orifice 2K with Zone Alarm and GOT IN!!

Thanks softwarev2.0, i did finds something in the reg, but I don't know what it is yet. Under the ....\win..\run there was an entry for "startIE c:\windows\notepad.exe qazwsx.hsg" but as far as I can tell those aren't switches for notpad, but I also can't find that as a file? for now I am going to take that entry out of the reg, and that should prevent it from running.

CyberSurfer, I don't understand what you mean about leaving the port open? Does that mean that sets the port out there like a target to try and prevent somebody from coming in, or that it will allow things out of the system?

[ledger]

Yes it is a virus/worm - W32/QAZ.worm

Below is a link to a complete description from NAI

http://vil.nai.com/villib/dispVirus.asp?virus_k=98775

Thanks, got it, killed it. Don't know why neither of them found it the first time. But I am glad to be rid of it.


[Edited by Wraith on 09-15-2000 at 09:59 AM]

[Yoinkster]

It's not. You may have been using Low/Medium security. ZA specifically tells you that the ports are still open...whereas Stealth mode (High) security actually hides them ('closes them') so people cannot access them. You should also set Local Security to High, as well.