Aliases: W32/Qeds@MM, Worm@W32.Qeds
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 13 Dec 2004
Damage: Low

Characteristics: W32.Qeds@mm is a mass-mailing worm. It sends a copy of itself as an attachment to the email addresses that it gathers from the files on a compromised computer. The worm sends an email using random email addresses. The subject of the email is written in Chinese characters.

More details about W32.Qeds@mm

The mass mailing worm W32.Qeds@mm copies itself as an attachment in an email. It sends itself to email addresses found on a compromised computer. When executed, the worm creates a copy of itself using the filename Inetdbs.exe. It then adds values to the registry to make sure it runs every Windows start up. It downloads zip files and OCX files from the website domains: tenship.com and freehost23.websamba.com. It then attempts to download a copy of Backdoor.PowerSpider.B from the above domains. It sends a copy of itself in an attachment to email addresses found in the compromised computer. The email uses random email addresses. Its subject and message are written in Chinese characters. The attachment is a ZIP file with a filename written in Chinese characters as well.

The W32.Qeds@mm application is also capable of making some changes on the web browser’s settings. This includes changing the error page, home page and search page. The user may also be redirected to unsolicited websites when a URL (Uniform Resource Locator) is mistyped. Links may be added inside the Favorites and Bookmarks folder. Clicking on these links may lead the user to websites that are embedded with illicit codes. The changes made by the software may be difficult to revert to its original settings.