GIAC
GCIH · Question #171
GCIH Question #171: Real Exam Question with Answer & Explanation
The correct answer is B: Qaz. The Qaz Trojan is uniquely identified by its behavior of renaming Notepad.exe to Note.com, replacing it with itself, and opening a backdoor on TCP port 7597.
Malware Analysis & Advanced Persistent Threats
Question
John works as a Network Administrator for We-are-secure Inc. He finds that TCP port 7597 of the Weare- secure server is open. He suspects that it may be open due to a Trojan installed on the server. He presents a report to the company describing the symptoms of the Trojan. A summary of the report is given below: Once this Trojan has been installed on the computer, it searches Notpad.exe, renames it Note.com, and then copies itself to the computer as Notepad.exe. Each time Notepad.exe is executed, the Trojan executes and calls the original Notepad to avoid being noticed. Which of the following Trojans has the symptoms as the one described above?
Options
- ANetBus
- BQaz
- CeBlaster
- DSubSeven
Explanation
The Qaz Trojan is uniquely identified by its behavior of renaming Notepad.exe to Note.com, replacing it with itself, and opening a backdoor on TCP port 7597.
Common mistakes.
- A. NetBus is a remote access Trojan that communicates on TCP ports 12345 and 12346 and does not perform the Notepad.exe hijacking or port 7597 behavior described.
- C. eBlaster is commercial monitoring and spyware software used to log user activity - it does not rename or replace system executables like Notepad.exe and does not use port 7597.
- D. SubSeven (Sub7) is a remote administration Trojan that typically operates on port 27374 and does not exhibit the Notepad.exe renaming and self-substitution behavior described in the scenario.
Concept tested. Qaz Trojan identification by behavior and port
Topics
#Qaz Trojan#Trojan identification#notepad.exe#port 7597
Community Discussion
No community discussion yet for this question.