McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Anacon (AVP)

Characteristics

Proactive detection: This worm is proactively detected by McAfee products as "virus or variant New Worm" (with the 4174 DATs or greater, with program heuristics and "scan compressed files" enabled.

The worm is written in Visual Basic and propagates via the following mechanisms:

• Mailing itself to Outlook contacts list
• Sharing itself over peer to peer file-sharing networks (eg. KaZaA, Morpheus etc)
• Sharing itself over the local network

Additionally the worm also functions as a remote access trojan, enabling the hacker to connect to the victim machine.

The worm delivers a destructive payload: it terminates the process(es) of various security-related applications and deletes their associated files.

Mass-Mailing

The worm mails itself as ANAKON.JPG to the Outlook contacts list, using Outlook to construct outgoing messages. Outgoing messages are formatted as follows:

Subject:

• Do you happy?
• Riyadh Issue: Al-Qaeda vs FBI
• Osama Bin Laden Come Back!
• Al-Qaeda News: Bombing Mission Success!
• Check This Out!
• Re: can mali can!
• Al-Qaeda Team Entertainment News
• [AQTE News]
• Al-Jazeera: AQTE Come back!
• Hi, may I read your mind?
• Acheh Issue: What Solution!
• Saddam Hussein Still alive
• Iraqi people don't want US Control.
• Let's Iraqi people build their country.
• Download New 256-Bit Encryption Software
• Alert! W32.HLLW.Anacon@mm Worm Has been detected!
• Register you Windows Now!
• Get free update Microsoft Windows Media Player
• TIPS: How to hide your IP Address!
• How to Protect you PC from Hackers!

Message Body:

Hi dear, Once I was first saw you, I was fall in love! Even you are already has special friend!

Fall In Love,
Rekcahlem ~=~ Anacon

Attachment: ANAKON.JPG

P2P Propagation

The worm copies itself to the following directories in order to spread via P2P networks:

%ProgramFiles%\KMD\My Shared Folder\

%ProgramFiles%\Kazaa\My Shared Folder\

%ProgramFiles%\KaZaA Lite\My Shared Folder\

%ProgramFiles%\Morpheus\My Shared Folder\

%ProgramFiles%\Grokster\My Grokster\

%ProgramFiles%\BearShare\Shared\

%ProgramFiles%\Edonkey2000\Incoming\

%ProgramFiles%\limewire\Shared\

(Where %ProgramFiles% is the system program files directory, eg. C:\PROGRAM FILES.)

The following filenames are used to entice users to download/run the worm.

• X-Men II Trailer.mpg.exe
• The Matrix Reloaded.jpg.exe
• Jonny English (JE).avi.exe
• EmpireEarthII.msi.exe
• Setup.exe
• JumpingJumping.exe
• SuperMarioBrother.exe
• YoungAndNotTooDangerous.exe
• Nokia8250Series.exe
• About SARS Solution.doc.exe
• Dont eat pork.. SARS in there.jpg.exe
• Mesmerize.exe
• MSVisual C++.exe
• Installer.exe
• Q544512.exe
• jdbgmgr.exe
• WindowsXP PowerToys.exe
• WMovie Maker II.exe
• WindowsUpdate.exe
• SEX_HOT.exe

Remote Access Functionality

The worm also contains backdoor functionality, although this was not exhibited in tested. Data within the worm suggests it enables the hacker to connect to the victim machine and issue various commands.

Miscellaneous

The worm also contains the following strings:

I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE

Anacon G0t ya! By Melhacker - The Real Hacker!

Symptoms

Presence of the files and Registry keys detailed below.

Method of Infection

This worm spreads via email, peer to peer file-sharing networks and by sharing itself from the victim machine.

The worm installs onto the victim machine as:

%SysDir%\ANACON.EXE

(where %SysDir% is the Windows System directory, eg. C:\WINDOWS\SYSTEM)

The following keys are set to hook system startup :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "AHU" = C:\WINDOWS\SYSTEM\ANACON.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "Hvewsveqmg"= C:\WINDOWS\SYSTEM\ANACON.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Cvfjx" = C:\WINDOWS\SYSTEM\ANACON.EXE

The following keys are added in order to share the local C:\:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver\Shares "HACKERz"

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserver\Shares "HACKERz"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares "HACKERz"

The following security-related applications are targetted. If found, processes are terminated and associated files are deleted (by creating a WININIT.INI on Windows 9x, with the relevant NUL=%filename% entries).

• Avp32.exe
• _Avpcc.exe
• _Avpm.exe
• Ackwin32.exe
• Anti-Trojan.exe
• Apvxdwin.exe
• Autodown.exe
• Avconsol.exe
• Ave32.exe
• Avgctrl.exe
• Avkserv.exe
• Avnt.exe
• Avp.exe
• Avp32.exe
• Avpcc.exe
• Avpdos32.exe
• Avpm.exe
• Avptc32.exe
• Avpupd.exe
• Avsched32.exe
• Avwin95.exe
• Avwupd32.exe
• Blackd.exe
• Blackice.exe
• Cfiadmin.exe
• Cfiaudit.exe
• Cfinet.exe
• Cfinet32.exe
• Claw95.exe
• Claw95cf.exe
• Cleaner.exe
• Cleaner3.exe
• Dvp95.exe
• Dvp95_0.exe
• Ecengine.exe
• Esafe.exe
• Espwatch.exe
• f-Agnt95.exe
• f-Prot.exe
• f-Prot95.exe
• f-Stopw.exe
• Findviru.exe
• Fp-Win.exe
• Fprot.exe
• Frw.exe
• Iamapp.exe
• Iamserv.exe
• Ibmasn.exe
• Ibmavsp.exe
• Icload95.exe
• Icloadnt.exe
• Icmon.exe
• Icsupp95.exe
• Icsuppnt.exe
• Iface.exe
• Iomon98.exe
• Jedi.exe
• Lockdown2000.exe
• Lookout.exe
• Luall.exe
• Moolive.exe
• Mpftray.exe
• N32scanw.exe
• Navapw32.exe
• Navlu32.exe
• Navnt.exe
• Navw32.exe
• Navwnt.exe
• Nisum.exe
• Nmain.exe
• Normist.exe
• Nupgrade.exe
• Nvc95.exe
• Outpost.exe
• Padmin.exe
• Pavcl.exe
• Pavsched.exe
• Pavw.exe
• Pccwin98.exe
• Pcfwallicon.exe
• Persfw.exe
• Rav7.exe
• Rav7win.exe
• Regedit.exe
• Rescue.exe
• Safeweb.exe
• Scan32.exe
• Scan95.exe
• Scanpm.exe
• Scrscan.exe
• Serv95.exe
• Smc.exe
• Sphinx.exe
• Sweep95.exe
• Tbscan.exe
• Tca.exe
• Tds2-98.exe
• Tds2-Nt.exe
• Vet95.exe
• Vettray.exe
• Vscan40.exe
• Vsecomr.exe
• Vshwin32.exe
• Vsstat.exe
• Webscanx.exe
• Wfindv32.exe
• Zonealarm.exe

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Anacon (AVP)

Characteristics

Characteristics -

Proactive detection: This worm is proactively detected by McAfee products as "virus or variant New Worm" (with the 4174 DATs or greater, with program heuristics and "scan compressed files" enabled.

The worm is written in Visual Basic and propagates via the following mechanisms:

• Mailing itself to Outlook contacts list
• Sharing itself over peer to peer file-sharing networks (eg. KaZaA, Morpheus etc)
• Sharing itself over the local network

Additionally the worm also functions as a remote access trojan, enabling the hacker to connect to the victim machine.

The worm delivers a destructive payload: it terminates the process(es) of various security-related applications and deletes their associated files.

Mass-Mailing

The worm mails itself as ANAKON.JPG to the Outlook contacts list, using Outlook to construct outgoing messages. Outgoing messages are formatted as follows:

Subject:

• Do you happy?
• Riyadh Issue: Al-Qaeda vs FBI
• Osama Bin Laden Come Back!
• Al-Qaeda News: Bombing Mission Success!
• Check This Out!
• Re: can mali can!
• Al-Qaeda Team Entertainment News
• [AQTE News]
• Al-Jazeera: AQTE Come back!
• Hi, may I read your mind?
• Acheh Issue: What Solution!
• Saddam Hussein Still alive
• Iraqi people don't want US Control.
• Let's Iraqi people build their country.
• Download New 256-Bit Encryption Software
• Alert! W32.HLLW.Anacon@mm Worm Has been detected!
• Register you Windows Now!
• Get free update Microsoft Windows Media Player
• TIPS: How to hide your IP Address!
• How to Protect you PC from Hackers!

Message Body:

Hi dear, Once I was first saw you, I was fall in love! Even you are already has special friend!

Fall In Love,
Rekcahlem ~=~ Anacon

Attachment: ANAKON.JPG

P2P Propagation

The worm copies itself to the following directories in order to spread via P2P networks:

%ProgramFiles%\KMD\My Shared Folder\

%ProgramFiles%\Kazaa\My Shared Folder\

%ProgramFiles%\KaZaA Lite\My Shared Folder\

%ProgramFiles%\Morpheus\My Shared Folder\

%ProgramFiles%\Grokster\My Grokster\

%ProgramFiles%\BearShare\Shared\

%ProgramFiles%\Edonkey2000\Incoming\

%ProgramFiles%\limewire\Shared\

(Where %ProgramFiles% is the system program files directory, eg. C:\PROGRAM FILES.)

The following filenames are used to entice users to download/run the worm.

• X-Men II Trailer.mpg.exe
• The Matrix Reloaded.jpg.exe
• Jonny English (JE).avi.exe
• EmpireEarthII.msi.exe
• Setup.exe
• JumpingJumping.exe
• SuperMarioBrother.exe
• YoungAndNotTooDangerous.exe
• Nokia8250Series.exe
• About SARS Solution.doc.exe
• Dont eat pork.. SARS in there.jpg.exe
• Mesmerize.exe
• MSVisual C++.exe
• Installer.exe
• Q544512.exe
• jdbgmgr.exe
• WindowsXP PowerToys.exe
• WMovie Maker II.exe
• WindowsUpdate.exe
• SEX_HOT.exe

Remote Access Functionality

The worm also contains backdoor functionality, although this was not exhibited in tested. Data within the worm suggests it enables the hacker to connect to the victim machine and issue various commands.

Miscellaneous

The worm also contains the following strings:

I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE

Anacon G0t ya! By Melhacker - The Real Hacker!

Symptoms

Symptoms -

Presence of the files and Registry keys detailed below.

Method of Infection

Method of Infection -

This worm spreads via email, peer to peer file-sharing networks and by sharing itself from the victim machine.

The worm installs onto the victim machine as:

%SysDir%\ANACON.EXE

(where %SysDir% is the Windows System directory, eg. C:\WINDOWS\SYSTEM)

The following keys are set to hook system startup :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "AHU" = C:\WINDOWS\SYSTEM\ANACON.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "Hvewsveqmg"= C:\WINDOWS\SYSTEM\ANACON.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Cvfjx" = C:\WINDOWS\SYSTEM\ANACON.EXE

The following keys are added in order to share the local C:\:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver\Shares "HACKERz"

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserver\Shares "HACKERz"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares "HACKERz"

The following security-related applications are targetted. If found, processes are terminated and associated files are deleted (by creating a WININIT.INI on Windows 9x, with the relevant NUL=%filename% entries).

• Avp32.exe
• _Avpcc.exe
• _Avpm.exe
• Ackwin32.exe
• Anti-Trojan.exe
• Apvxdwin.exe
• Autodown.exe
• Avconsol.exe
• Ave32.exe
• Avgctrl.exe
• Avkserv.exe
• Avnt.exe
• Avp.exe
• Avp32.exe
• Avpcc.exe
• Avpdos32.exe
• Avpm.exe
• Avptc32.exe
• Avpupd.exe
• Avsched32.exe
• Avwin95.exe
• Avwupd32.exe
• Blackd.exe
• Blackice.exe
• Cfiadmin.exe
• Cfiaudit.exe
• Cfinet.exe
• Cfinet32.exe
• Claw95.exe
• Claw95cf.exe
• Cleaner.exe
• Cleaner3.exe
• Dvp95.exe
• Dvp95_0.exe
• Ecengine.exe
• Esafe.exe
• Espwatch.exe
• f-Agnt95.exe
• f-Prot.exe
• f-Prot95.exe
• f-Stopw.exe
• Findviru.exe
• Fp-Win.exe
• Fprot.exe
• Frw.exe
• Iamapp.exe
• Iamserv.exe
• Ibmasn.exe
• Ibmavsp.exe
• Icload95.exe
• Icloadnt.exe
• Icmon.exe
• Icsupp95.exe
• Icsuppnt.exe
• Iface.exe
• Iomon98.exe
• Jedi.exe
• Lockdown2000.exe
• Lookout.exe
• Luall.exe
• Moolive.exe
• Mpftray.exe
• N32scanw.exe
• Navapw32.exe
• Navlu32.exe
• Navnt.exe
• Navw32.exe
• Navwnt.exe
• Nisum.exe
• Nmain.exe
• Normist.exe
• Nupgrade.exe
• Nvc95.exe
• Outpost.exe
• Padmin.exe
• Pavcl.exe
• Pavsched.exe
• Pavw.exe
• Pccwin98.exe
• Pcfwallicon.exe
• Persfw.exe
• Rav7.exe
• Rav7win.exe
• Regedit.exe
• Rescue.exe
• Safeweb.exe
• Scan32.exe
• Scan95.exe
• Scanpm.exe
• Scrscan.exe
• Serv95.exe
• Smc.exe
• Sphinx.exe
• Sweep95.exe
• Tbscan.exe
• Tca.exe
• Tds2-98.exe
• Tds2-Nt.exe
• Vet95.exe
• Vettray.exe
• Vscan40.exe
• Vsecomr.exe
• Vshwin32.exe
• Vsstat.exe
• Webscanx.exe
• Wfindv32.exe
• Zonealarm.exe

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A