Content

W32/Naco.b@MM

Type
Virus
SubType
E-mail worm
Discovery Date
05/27/2003
Length
137, 651 bytes (UPX packed)
Minimum DAT
4267 (05/28/2003)
Updated DAT
4684 (01/27/2006)
Minimum Engine
5.1.00
Description Added
05/26/2003
Description Modified
06/12/2003 10:34 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update 12 June 2003 --
W32/Naco.f@MM variant appeared. Detection by name is included in 4272 DATs. Since the previous update in May variants d-e also appeared. They were all proactively detected as "W32/Generic.a@MM" since 4253 DATs.
--

-- Update 30 May 2003 --
W32/Naco.c@MM variant appeared - it was proactively detected as "New Worm" since 4243 DATs. Detection by name was included in 4266 DATs.
--

Proactive detection: This worm is proactively detected by McAfee products as "virus or variant New Worm" (with the 4174 DATs or greater, with program heuristics and "scan compressed files" enabled.

The worm displays similar characteristics to W32/Naco.a@MM and propagates via the following mechanisms:

  • Mailing itself to Outlook contacts list
  • Sharing itself over peer to peer file-sharing networks (eg. KaZaA, ICQ etc)
  • Sharing itself over the local network

It arrives in a package containing three files: anacon.bat, mswinsck.ocx and naco.exe.

Additionally the worm also functions as a remote access trojan, enabling the hacker to connect to the victim machine.

The worm delivers a destructive payload: it terminates the process(es) of various security-related applications and deletes their associated files.

Mass-Mailing

The worm mails itself with different attachment names to the Outlook contacts list, using Outlook to construct outgoing messages. Outgoing messages are formatted as follows:

Subject:
  • Do you happy?
  • Great News! Check it out now!
  • Just for Laught!
  • TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
  • What New in TechTV!
  • FoxNews Reporter: Hello! SARS Issue!
  • Get Free XXX Web Porn!
  • Oh, my girl!
  • Crack - Download Accerelator Plus 5.3.9
  • Do you remember me?
  • The ScreenSaver: Wireless Keyboard
  • VBCode: Prevent Your Application From Crack
  • Re: are you married?(1)
  • Download WinZip 9.0 Beta
  • Young and Dangerous 7
  • Alert! W32.Anacon.B@mm Worm Has been detected!
  • Run for your life!
  • Update: Microsoft Visual Studio .Net
  • Your Password: jad8aadf08
  • Tired to Search Anonymous SMTP Server?

Message Body:

Hello dear,
I'm gonna missed you babe, hope we can see again!

In Love,
Rekcahlem ~<>~ Anacon

Attachment: Can be any of the following:

  • anacon.exe
  • build.exe
  • force.exe
  • scan.exe
  • runtime.exe
  • hangup.exe
  • hungry.exe
  • thing.exe
  • against.exe
  • wars.exe

P2P Propagation

The worm copies itself to the following directories in order to spread via P2P networks:

  • %ProgramFiles%\KMD\My Shared Folder\
  • %ProgramFiles%\Kazaa\My Shared Folder\
  • %ProgramFiles%\KaZaA Lite\My Shared Folder\
  • %ProgramFiles%\Morpheus\My Shared Folder\
  • %ProgramFiles%\Grokster\My Grokster\
  • %ProgramFiles%\BearShare\Shared\
  • %ProgramFiles%\Edonkey2000\Incoming\
  • %ProgramFiles%\limewire\Shared\

      (Where %ProgramFiles% is the system program files directory, eg. C:\PROGRAM FILES.)

      The following filenames are used to entice users to download/run the worm.

      • The Matrix Evolution.mpg.exe
      • The Matrix Reloaded Preview.jpg.exe
      • Jonny English (JE).avi.exe
      • DOOM III Demo.exe
      • winamp3.exe
      • JugdeDread.exe
      • Microsoft Visual Studio.exe
      • gangXcop.exe
      • Upgrade you HandPhone.exe
      • About SARS Solution.doc.exe
      • Dont eat pork. SARS in there.jpg.exe
      • VISE.exe
      • MSVisual C++.exe
      • QuickInstaller.exe
      • Q111023.exe
      • jdbgmgr.exe
      • WindowsXP PowerToys.exe
      • InternationalDictionary.exe
      • EAGames.exe
      • SEX_HOTorCOOL.exe

      Remote Access Functionality

      The worm also contains backdoor functionality. A list of ports between the range of 1500 to 1600 were opened on the machine. An email containing the following information is sent to the address chatza@phreaker.net to inform of a compromised system. Data in the file indicates the following information is sent:

      • EXE Backdoor Name:
      • Operating System:
      • Internet Explorer Version:
      • Windows Directories:
      • System Directories:
      • Current Screen Resolution:
      • Current Time:
      • IP Address:
      • Current Port Number:
      • UserName:
      • ComputerName:
      • Cached Password: (For Win9x/Me Only)
      • Host:
      • Drive(s):
      • Type of Drives:
      • InternalName
      • ICQ UINs:
      • Sound Card:
      The hacker can then connect to the victim's machine and perform functions such as:
      • set CDAudio door open
      • dropper a keylogger
      • Updating the virus file from the link
        http://blocked.netlux.org/~melhacker/anaconII.exe

      Miscellaneous

      The worm also contains the following strings:

      I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and Anacon G0t ya! By Melhacker

      • Symptoms

      Presence of the files and Registry keys detailed below.

      Method of Infection

      This worm spreads via email, peer to peer file-sharing networks and by sharing itself from the victim machine.

      This variant of the worm consists of a self-extracting archive dropper (137,651 bytes), detected as W32/Naco.b@MM. When executed on the victim machine, 3 files are extracted:

      • MSWINSCK.OCX - Winsock control library
      • ANACON.BAT - batch script which installs (and registers) the above library, then runs NACO.EXE (see below) before deleting itself.
      • NACO.EXE - (86,016 bytes) Visual Basic binary (this provides the worm functionality) detected as W32/Naco.b@MM.

      Upon execution of NACO.EXE, the following files are installed onto the victim machine:

      %SysDir%\SYSPOLY32.EXE (86,016 bytes) - copy of NACO.EXE
      SysDir%\WARS.EXE (137,651 bytes) - entire SFX package

      (where %SysDir% is the Windows System directory, eg. C:\WINDOWS\SYSTEM)

      The following keys are set to hook system startup :

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PowerManagement"= C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "AHU" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Nocana" = C:\WINDOWS\SYSTEM\wars.exe

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "InterceptedSystem" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

      The following keys are added in order to share the local C:\:

      HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver\Shares "HACKERz"

      HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserver\Shares "HACKERz"

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares "HACKERz"

      The worm uses the Mirabilis ICQ Agent application key to launch itself upon starting up ICQ by adding the following keys (certain key names are random):

      HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Enable" = Yes

      HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Parameters" =

      HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Path" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

      HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Startup" = Data: C:\WINDOWS\SYSTEM\

      The following security-related applications are targetted. If found, processes are terminated and associated files are deleted (by creating a WININIT.INI on Windows 9x, with the relevant NUL=%filename% entries).

      • Zonealarm.exe
      • Wfindv32.exe
      • Webscanx.exe
      • Vsstat.exe
      • Vshwin32.exe
      • Vsecomr.exe
      • Vscan40.exe
      • Vettray.exe
      • Vet95.exe
      • Tds2-Nt.exe
      • Tds2-98.exe
      • Tca.exe
      • Tbscan.exe
      • Sweep95.exe
      • Sphinx.exe
      • Smc.exe
      • Serv95.exe
      • Scrscan.exe
      • Scanpm.exe
      • Scan95.exe
      • Scan32.exe
      • Safeweb.exe
      • Regedit.exe
      • Rescue.exe
      • Rav7win.exe
      • Rav7.exe
      • Persfw.exe
      • Pcfwallicon.exe
      • Pccwin98.exe
      • Pavw.exe
      • Pavsched.exe
      • Pavcl.exe
      • Padmin.exe Outpost.exe
      • Nvc95.exe
      • Nupgrade.exe
      • Normist.exe
      • Nmain.exe
      • Nisum.exe
      • Navwnt.exe
      • Navw32.exe
      • Navnt.exe
      • Navlu32.exe
      • Navapw32.exe
      • N32scanw.exe
      • Mpftray.exe
      • Moolive.exe
      • Luall.exe
      • Lookout.exe
      • Lockdown2000.exe
      • Jedi.exe
      • Iomon98.exe
      • Iface.exe
      • Icsuppnt.exe
      • Icsupp95.exe
      • Icmon.exe
      • Icloadnt.exe
      • Icload95.exe
      • Ibmavsp.exe
      • Ibmasn.exe
      • Iamserv.exe
      • Iamapp.exe
      • Frw.exe
      • Fprot.exe
      • Fp-Win.exe
      • Findviru.exe
      • f-Stopw.exe
      • f-Prot95.exe
      • f-Prot.exe
      • f-Agnt95.exe
      • Espwatch.exe
      • Esafe.exe
      • Ecengine.exe
      • Dvp95_0.exe
      • Dvp95.exe
      • Cleaner3.exe
      • Cleaner.exe
      • Claw95cf.exe
      • Claw95.exe
      • Cfinet32.exe
      • Cfinet.exe
      • Cfiaudit.exe
      • Cfiadmin.exe
      • Blackice.exe
      • Blackd.exe
      • Avwupd32.exe
      • Avwin95.exe
      • Avsched32.exe
      • Avpupd.exe
      • Avptc32.exe
      • Avpm.exe
      • Avpdos32.exe
      • Avpcc.exe
      • Avp32.exe
      • Avp.exe
      • Avnt.exe
      • Avkserv.exe
      • Avgctrl.exe
      • Ave32.exe
      • Avconsol.exe
      • Autodown.exe
      • Apvxdwin.exe
      • Anti-Trojan.exe
      • Ackwin32.exe
      • _Avpm.exe
      • _Avpcc.exe
      • _Avp32.exe

      Removal

      All Users:
      Use specified engine and DAT files for detection and removal.

      Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

      Additional Windows ME/XP removal considerations

      Variants

      Variants

        N/A

      All Information

      Overview -

      This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

      Aliases

      • W32.Naco.B@mm (Symantec)
      • W32/Naco.d@MM
      • W32/Naco.e@MM
      • W32/Naco.f@MM
      • WORM_NACO.B (Trend)

      Characteristics

      Characteristics -

      -- Update 12 June 2003 --
      W32/Naco.f@MM variant appeared. Detection by name is included in 4272 DATs. Since the previous update in May variants d-e also appeared. They were all proactively detected as "W32/Generic.a@MM" since 4253 DATs.
      --

      -- Update 30 May 2003 --
      W32/Naco.c@MM variant appeared - it was proactively detected as "New Worm" since 4243 DATs. Detection by name was included in 4266 DATs.
      --

      Proactive detection: This worm is proactively detected by McAfee products as "virus or variant New Worm" (with the 4174 DATs or greater, with program heuristics and "scan compressed files" enabled.

      The worm displays similar characteristics to W32/Naco.a@MM and propagates via the following mechanisms:

      • Mailing itself to Outlook contacts list
      • Sharing itself over peer to peer file-sharing networks (eg. KaZaA, ICQ etc)
      • Sharing itself over the local network

      It arrives in a package containing three files: anacon.bat, mswinsck.ocx and naco.exe.

      Additionally the worm also functions as a remote access trojan, enabling the hacker to connect to the victim machine.

      The worm delivers a destructive payload: it terminates the process(es) of various security-related applications and deletes their associated files.

      Mass-Mailing

      The worm mails itself with different attachment names to the Outlook contacts list, using Outlook to construct outgoing messages. Outgoing messages are formatted as follows:

      Subject:
      • Do you happy?
      • Great News! Check it out now!
      • Just for Laught!
      • TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
      • What New in TechTV!
      • FoxNews Reporter: Hello! SARS Issue!
      • Get Free XXX Web Porn!
      • Oh, my girl!
      • Crack - Download Accerelator Plus 5.3.9
      • Do you remember me?
      • The ScreenSaver: Wireless Keyboard
      • VBCode: Prevent Your Application From Crack
      • Re: are you married?(1)
      • Download WinZip 9.0 Beta
      • Young and Dangerous 7
      • Alert! W32.Anacon.B@mm Worm Has been detected!
      • Run for your life!
      • Update: Microsoft Visual Studio .Net
      • Your Password: jad8aadf08
      • Tired to Search Anonymous SMTP Server?

      Message Body:

      Hello dear,
      I'm gonna missed you babe, hope we can see again!

      In Love,
      Rekcahlem ~<>~ Anacon

      Attachment: Can be any of the following:

      • anacon.exe
      • build.exe
      • force.exe
      • scan.exe
      • runtime.exe
      • hangup.exe
      • hungry.exe
      • thing.exe
      • against.exe
      • wars.exe

      P2P Propagation

      The worm copies itself to the following directories in order to spread via P2P networks:

    • %ProgramFiles%\KMD\My Shared Folder\
    • %ProgramFiles%\Kazaa\My Shared Folder\
    • %ProgramFiles%\KaZaA Lite\My Shared Folder\
    • %ProgramFiles%\Morpheus\My Shared Folder\
    • %ProgramFiles%\Grokster\My Grokster\
    • %ProgramFiles%\BearShare\Shared\
    • %ProgramFiles%\Edonkey2000\Incoming\
    • %ProgramFiles%\limewire\Shared\

        (Where %ProgramFiles% is the system program files directory, eg. C:\PROGRAM FILES.)

        The following filenames are used to entice users to download/run the worm.

        • The Matrix Evolution.mpg.exe
        • The Matrix Reloaded Preview.jpg.exe
        • Jonny English (JE).avi.exe
        • DOOM III Demo.exe
        • winamp3.exe
        • JugdeDread.exe
        • Microsoft Visual Studio.exe
        • gangXcop.exe
        • Upgrade you HandPhone.exe
        • About SARS Solution.doc.exe
        • Dont eat pork. SARS in there.jpg.exe
        • VISE.exe
        • MSVisual C++.exe
        • QuickInstaller.exe
        • Q111023.exe
        • jdbgmgr.exe
        • WindowsXP PowerToys.exe
        • InternationalDictionary.exe
        • EAGames.exe
        • SEX_HOTorCOOL.exe

        Remote Access Functionality

        The worm also contains backdoor functionality. A list of ports between the range of 1500 to 1600 were opened on the machine. An email containing the following information is sent to the address chatza@phreaker.net to inform of a compromised system. Data in the file indicates the following information is sent:

        • EXE Backdoor Name:
        • Operating System:
        • Internet Explorer Version:
        • Windows Directories:
        • System Directories:
        • Current Screen Resolution:
        • Current Time:
        • IP Address:
        • Current Port Number:
        • UserName:
        • ComputerName:
        • Cached Password: (For Win9x/Me Only)
        • Host:
        • Drive(s):
        • Type of Drives:
        • InternalName
        • ICQ UINs:
        • Sound Card:
        The hacker can then connect to the victim's machine and perform functions such as:
        • set CDAudio door open
        • dropper a keylogger
        • Updating the virus file from the link
          http://blocked.netlux.org/~melhacker/anaconII.exe

        Miscellaneous

        The worm also contains the following strings:

        I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and Anacon G0t ya! By Melhacker

        • Symptoms

        Symptoms -

        Presence of the files and Registry keys detailed below.

        Method of Infection

        Method of Infection -

        This worm spreads via email, peer to peer file-sharing networks and by sharing itself from the victim machine.

        This variant of the worm consists of a self-extracting archive dropper (137,651 bytes), detected as W32/Naco.b@MM. When executed on the victim machine, 3 files are extracted:

        • MSWINSCK.OCX - Winsock control library
        • ANACON.BAT - batch script which installs (and registers) the above library, then runs NACO.EXE (see below) before deleting itself.
        • NACO.EXE - (86,016 bytes) Visual Basic binary (this provides the worm functionality) detected as W32/Naco.b@MM.

        Upon execution of NACO.EXE, the following files are installed onto the victim machine:

        %SysDir%\SYSPOLY32.EXE (86,016 bytes) - copy of NACO.EXE
        SysDir%\WARS.EXE (137,651 bytes) - entire SFX package

        (where %SysDir% is the Windows System directory, eg. C:\WINDOWS\SYSTEM)

        The following keys are set to hook system startup :

        HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PowerManagement"= C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "AHU" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Nocana" = C:\WINDOWS\SYSTEM\wars.exe

        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "InterceptedSystem" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

        The following keys are added in order to share the local C:\:

        HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver\Shares "HACKERz"

        HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserver\Shares "HACKERz"

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares "HACKERz"

        The worm uses the Mirabilis ICQ Agent application key to launch itself upon starting up ICQ by adding the following keys (certain key names are random):

        HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Enable" = Yes

        HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Parameters" =

        HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Path" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

        HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Startup" = Data: C:\WINDOWS\SYSTEM\

        The following security-related applications are targetted. If found, processes are terminated and associated files are deleted (by creating a WININIT.INI on Windows 9x, with the relevant NUL=%filename% entries).

        • Zonealarm.exe
        • Wfindv32.exe
        • Webscanx.exe
        • Vsstat.exe
        • Vshwin32.exe
        • Vsecomr.exe
        • Vscan40.exe
        • Vettray.exe
        • Vet95.exe
        • Tds2-Nt.exe
        • Tds2-98.exe
        • Tca.exe
        • Tbscan.exe
        • Sweep95.exe
        • Sphinx.exe
        • Smc.exe
        • Serv95.exe
        • Scrscan.exe
        • Scanpm.exe
        • Scan95.exe
        • Scan32.exe
        • Safeweb.exe
        • Regedit.exe
        • Rescue.exe
        • Rav7win.exe
        • Rav7.exe
        • Persfw.exe
        • Pcfwallicon.exe
        • Pccwin98.exe
        • Pavw.exe
        • Pavsched.exe
        • Pavcl.exe
        • Padmin.exe Outpost.exe
        • Nvc95.exe
        • Nupgrade.exe
        • Normist.exe
        • Nmain.exe
        • Nisum.exe
        • Navwnt.exe
        • Navw32.exe
        • Navnt.exe
        • Navlu32.exe
        • Navapw32.exe
        • N32scanw.exe
        • Mpftray.exe
        • Moolive.exe
        • Luall.exe
        • Lookout.exe
        • Lockdown2000.exe
        • Jedi.exe
        • Iomon98.exe
        • Iface.exe
        • Icsuppnt.exe
        • Icsupp95.exe
        • Icmon.exe
        • Icloadnt.exe
        • Icload95.exe
        • Ibmavsp.exe
        • Ibmasn.exe
        • Iamserv.exe
        • Iamapp.exe
        • Frw.exe
        • Fprot.exe
        • Fp-Win.exe
        • Findviru.exe
        • f-Stopw.exe
        • f-Prot95.exe
        • f-Prot.exe
        • f-Agnt95.exe
        • Espwatch.exe
        • Esafe.exe
        • Ecengine.exe
        • Dvp95_0.exe
        • Dvp95.exe
        • Cleaner3.exe
        • Cleaner.exe
        • Claw95cf.exe
        • Claw95.exe
        • Cfinet32.exe
        • Cfinet.exe
        • Cfiaudit.exe
        • Cfiadmin.exe
        • Blackice.exe
        • Blackd.exe
        • Avwupd32.exe
        • Avwin95.exe
        • Avsched32.exe
        • Avpupd.exe
        • Avptc32.exe
        • Avpm.exe
        • Avpdos32.exe
        • Avpcc.exe
        • Avp32.exe
        • Avp.exe
        • Avnt.exe
        • Avkserv.exe
        • Avgctrl.exe
        • Ave32.exe
        • Avconsol.exe
        • Autodown.exe
        • Apvxdwin.exe
        • Anti-Trojan.exe
        • Ackwin32.exe
        • _Avpm.exe
        • _Avpcc.exe
        • _Avp32.exe

        Removal -

        Removal -

        All Users:
        Use specified engine and DAT files for detection and removal.

        Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

        Additional Windows ME/XP removal considerations

        Variants

        Variants -

          N/A