This post may contain affiliate links, please read our affiliate disclosure to learn more.
What Is the QAZ Network Worm?

What Is the QAZ Network Worm?

 By Charles Joseph | Cybersecurity Researcher
 Published on August 3rd, 2023
This post was updated on February 29th, 2024

QAZ is a type of computer worm that’s known for its ability to spread quickly and steal user account details from the infected system. It enters the system disguised as a harmless program, often through email attachments, software downloads, or via network connections. When executed, the worm multiplies and infects other systems, often leading to performance slowdowns or crashes.

Technical Overview

QAZ is a network worm that proliferates under Win32 systems, possessing backdoor capabilities. It was first reported as being “in the wild” during the months of July and August 2000. The worm exists within a Win32 executable file approximately 120K in size, crafted in MS Visual C++.

NordVPN 67% off + 3-month VPN coupon

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

Upon executing the infected file, the worm adds itself to the Windows registry’s auto-start section:

KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startIE
VALUE: “filename qazwsx.hsq”

In the above path, “filename” refers to the name of the worm’s file, usually “Notepad.exe”. This action ensures the worm is activated whenever Windows boots up.

After activation, the worm resides in the system’s memory as an application, visible in the task list, and initiates two processes: propagation and backdoor.

The propagation process involves disseminating a copy of the worm across the local network to drives that are set to allow reading/writing. The worm scans network resources for the “WIN” string in their names. If this string is detected (which usually indicates the Windows directory on a remote computer), the worm locates NOTEPAD.EXE, renames it as NOTE.COM, and deposits its copy as NOTEPAD.EXE.

Consequently, on the affected machine, the original NOTEPAD.EXE is renamed as NOTE.COM, which the worm uses to activate the original Notepad after its processes are complete, and the worm’s code replaces the NOTEPAD.EXE file. The worm becomes active when a user opens Notepad on the affected machine.

The worm’s backdoor routine is relatively straightforward. It only supports a few commands: Run (to execute a specified file), Upload (to generate a file on the affected machine), and Quit (to stop the worm processes). While there are only three commands, these are sufficient to install a more robust backdoor or any other Trojan/virus on the system.

Finally, the worm sends a notification, possibly to its author. This involves an e-mail sent to a particular address in China containing the IP address(es) of the infected machine.

QAZ Examples

1. Email Threat

A common way that the QAZ worm infects a computer system is through seemingly innocuous email attachments. It’s often a bogus email with an impressive-looking attachment labeled as “urgent” or “must-see.” But lurking in this attachment is the QAZ worm.

Once the user downloads and opens the attachment, the QAZ worm gets activated. Immediately, it starts to spread its tentacles far and wide, infecting other files and programs on their system. This not only damages the system files but also slows down their operations, often leaving the user confused as to the cause of their sudden computer troubles.

Moreover, the worm has the malicious ability to steal user account details, thereby compromising personal security. It’s an example that underlines the importance of not clicking on or downloading attachments from any suspicious or unknown emails.

2. Gaming Application

Another way the QAZ worm can wreak havoc is through gaming applications, particularly those sourced from untrustworthy websites. Suppose a gamer tries to save money by downloading a free version of a popular game from an unsafe platform. Unbeknownst to them, the QAZ worm is bundled with the game download.

Once the game is installed, the QAZ worm is also activated alongside it. It now begins to perform its malicious activities. It starts gathering user data like personal information and gaming credentials, which it silently transmits back to the cyber attacker controlling it.

Over time, the gamer may start noticing odd behavior in their computer system, such as frequent crashes, unusually slow response times, or random pop-up messages. The QAZ worm quietly running in the background is the source of these anomalies, demonstrating the risks of downloading software from untrusted sources.

3. Infected Network

The QAZ worm’s capacity to infiltrate and infect large systems becomes evident when it enters a company’s network. This typically happens because of an error by an employee, who may open an infected file on the shared network, unintentionally activating the QAZ worm.

The worm is then set loose within the network, propagating quickly and affecting all devices connected to it. This progressive infection may result in network congestion, frequent system freezing, or even sudden, unexplained system reboots. The affected computers can experience significant slowdowns, disrupting important work processes within the company.

In addition to these visible issues, the QAZ worm also silently gathers business-critical information. It can retrieve confidential company data and pass it on to the cyber criminals controlling it. This makes a solid case for why businesses need to invest in robust network security practices and educate their employees about the potential risks of unknown files and emails.


The QAZ worm illustrates the subtle yet potent threat that cyber attackers can pose to individuals and businesses. It’s essential to exercise caution with email attachments, software downloads, and network file sharing, along with maintaining up-to-date security measures to mitigate such risks.

Key Takeaways

  • QAZ is a worm that infects computer systems, usually entering through email attachments or downloaded software.
  • Once active on a system, the QAZ worm can infect files, slow down operations, and steal user account information.
  • Unsuspecting users often get tricked into downloading the QAZ worm, thinking they’re getting a harmless file or a useful program.
  • This worm can cause significant damage when it enters a network, affecting all connected devices and potentially stealing confidential data.
  • Preventive measures, like not clicking on suspicious emails, avoiding software from untrusted sources, and maintaining up-to-date security systems, can help guard against the QAZ worm.

Related Questions

1. What does the QAZ worm do after entering a computer system?

Once active, the QAZ worm spreads itself, infecting other files and programs. It can slow down system operations, damage files, and retrieve user account details, posing a serious threat to personal or company data.

2. How can I protect my computer from the QAZ worm?

Keeping your system’s security measures updated, not clicking on suspicious emails or attachments, and only downloading software from trusted sources can help protect your system from threats like the QAZ worm.

3. How does the QAZ worm spread?

The QAZ worm uses networks to propagate. If it enters a network, it can quickly infect all devices connected to it.

4. What happens if the QAZ worm infects a business network?

If a business network gets infected by the QAZ worm, it can lead to network congestion, system freezes, and sudden reboots. In addition, it has the potential to steal and transmit confidential data, leading to severe security breaches.

5. Is the QAZ worm detectable by anti-virus software?

Yes, many anti-virus programs have the capability to detect and remove the QAZ worm. However, it’s crucial to keep the anti-virus software up-to-date as cyber threats constantly evolve.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top