McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Proactive detection: This threat is proactively detected as VB-BackDoor1.gen with the 4249+ DAT files and 4.2.40 engine, when scanning compressed executables with PROGRAM HEURISTICS enabled.

The worm displays similar characteristics to W32/Naco.a@MM and propagates via the following mechanisms:

• Mailing itself to Outlook contacts list
• Sharing itself over peer to peer file-sharing networks (eg. KaZaA, ICQ etc)
• Sharing itself over the local network

It arrives as an email attachment and also functions as a remote access trojan, enabling the hacker to connect to the victim machine.

The worm delivers multiple destructive payloads: it terminates the process(es) of various security-related applications and deletes their associated files, defaces websites, and deletes files.

Mass-Mailing

The worm mails itself with different attachment names to the Outlook contacts list, using Outlook to construct outgoing messages. Outgoing messages are formatted as follows:

Subject:

• Alert!
• Crack for Nokia LogoManager 1.3
• FoxNews Reporter: There are no Solution for SARS?
• Free SMS Via NACO SMS!
• Get Free SMTP Server at Click Here!
• Get Your Free XXX Password!
• Gotcha baby!
• Help me plz?
• Nelly Furtado!
• New Variant Anacon.D has been detected!
• New! Dragon Ball Fx
• News: US Goverment try to make wars with Tehran.
• Out of my heart?
• Patch for Microsoft Windows XP 64bit
• Re: are you married?(3)
• Seagate Baracuda 80GB for $???
• Small And Destrucive!
• TechTV: New Anti Virus Software
• TIPs: HOW TO DEFACE A WEBSERVER?
• What New in The ScreenSaver!
• Your FTP Password: iuahdf7d8hf

Message Body:

• Hello dear, I'm gonna missed you babe, hope we can see again! In Love, Rekcahlem ~<>~ Anacon
• Hi babe, Still missing me! I have send to you a special gift I made it my own. Just for you. Check it out the attachment. Your Love, Rekcahlem
• Great to see you again babe! This is file you want las week. Please don't distribute it to other. Regard, V.C.
• Attention! Please do not eat pork! The SARS virus may come from the pig. So becareful. For more information check the attachment. Regard, WTO
• (blank) You may not see the message because the message has been convert to the attachment. Please open an attachment to see the message.

Attachment: Can be any of the following:

• anacon32.exe
• naco.exe

P2P Propagation

The worm copies itself to P2P shared folders. It quires the registry to reteive program paths:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir

Next, it attempts to copy itself to discovered folders that contain the following strings:

• KMD\My Shared Folder
• My Shared Folder
• Lite\My Shared Folder
• My Grokster
• Shared
• Incoming

The following filenames are used to entice users to download/run the worm.

• About SARS Solution.exe
• Anacon The Great.exe
• DialUp.exe
• Dincracker eZine.exe
• Dont Eat Pork SARS in there.exe
• Downloader.exe
• fxanacon.exe
• Generate a Random PAssword.exe
• Get Lost.exe
• GetMorePower.exe
• Hack In 5 Minute.exe
• Hacker HandBook.exe
• HeavyMetal.exe
• Hide Your Mount.exe
• JackAndGinnie.exe
• La Intrusa.exe
• Lost YourPassword.exe
• MSWINSCK.exe
• NEW POWERTOY FOR WINXP.exe
• New Variant.exe
• NokiaPolyPhonic.exe
• OfficeXP.exe
• Oh Yeah Babe.exe
• Patch - jdbgmgr.exe
• Porta.exe
• Replacement Killer 2.exe
• Ripley Believe It Or Not.exe
• RosalindaAyamor
• SMTP OCX.exe
• Sucker.exe
• The Lost Jungle.exe
• The Matrix Reloaded Trailer.exe
• TIPS HOW TO CRACK SYMANTEC SERVER.exe
• Trailer DOOM III.exe
• Uninstal.exe
• VISE MINDVISION.exe
• WhatIsGoingOn.exe
• WindowsSecurity Patch.exe
• WinZip9Beta.exe

Remote Access Functionality

The worm also contains backdoor functionality. It listens on a varying port, and sends an email notification to the address chatza@phreaker.net. Data in the file indicates the following information is sent:

• EXE Backdoor Name:
• Operating System:
• Internet Explorer Version:
• Windows Directories:
• System Directories:
• Current Screen Resolution:
• Current Time:
• IP Address:
• Current Port Number:
• UserName:
• ComputerName:
• Cached Password: (For Win9x/Me Only)
• Host:
• Drive(s):
• Type of Drives:
• InternalName
• ICQ UINs:
• Sound Card:

The hacker can then connect to the victim's machine and perform functions such as:

• set CDAudio door open
• dropper a keylogger
• Updating the virus file from the link
  http://blocked.netlux.org/~melhacker/anaconIV.exe

DoS functionallity

The worm contains instructions to cause Denial of Service attack against these Israeli and Jewish websites

• 212.143.236.4
• 62.154.244.36
• 209.61.182.140
• 198.65.148.153
• 212.150.63.115
• 208.40.175.222
• 161.58.232.244
• 161.58.197.155
• 194.90.114.5
• 147.237.72.91

Website defacement

The worm tries to overwrite files in the \Inetpub\wwwroot folder:

• default.asp
• default.htm
• default.html
• index.asp
• index.htm
• index.html

The text reads: G02 WARNING! YOUR WEB SERVER HAS BEEN HACKED BY ANACON MELHACKER. Anacon G0t ya! By Melhacker

File deletion

The worm may delete all files on the C and D drives.

Symptoms

Presence of the files and Registry keys detailed below.

Method of Infection

This worm spreads via email, peer to peer file-sharing networks and by sharing itself from the victim machine.

Upon execution of an infected attachment, the following files are installed onto the victim machine:

%SysDir%\ANACON32.EXE

(where %SysDir% is the Windows System directory, eg. C:\WINDOWS\SYSTEM)

The following keys are set to hook system startup :

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
  Run "Under20" = C:\WINNT\SYSTEM32\\ANACON32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "ALM" = C:\WINNT\SYSTEM32\\ANACON32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "Services" = C:\WINNT\SYSTEM32\\ANACON32.EXE

The following keys are added in order to share the local C:\:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares "HACKERz"

The worm uses the Mirabilis ICQ Agent application key to launch itself upon starting up ICQ by adding the following keys (certain key names are random):

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Enable" = Yes

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Parameters" =

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Path" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Startup" = Data: C:\WINDOWS\SYSTEM\

The following security-related applications are targetted. If found, processes are terminated and associated files are deleted (by creating a WININIT.INI on Windows 9x, with the relevant NUL=%filename% entries).

• Ackwin32.exe
• Anti-Trojan.exe
• Apvxdwin.exe
• Autodown.exe
• Avconsol.exe
• Ave32.exe
• Avgctrl.exe
• Avkserv.exe
• Avnt.exe
• Avp32.exe
• Avp32.exe
• Avpcc.exe
• Avpcc.exe
• Avpdos32.exe
• Avpm.exe
• Avpm.exe
• Avptc32.exe
• Avpupd.exe
• Avsched32.exe
• Avwin95.exe
• Avwupd32.exe
• Blackd.exe
• Blackice.exe
• Cfiadmin.exe
• Cfiaudit.exe
• Cfinet.exe
• Cfinet32.exe
• Claw95.exe
• Claw95cf.exe
• Cleaner.exe
• Cleaner3.exe
• Dvp95.exe
• Dvp95_0.exe
• Ecengine.exe
• Esafe.exe
• Espwatch.exe
• F-Agnt95.exe
• Findviru.exe
• Fprot.exe
• F-Prot.exe
• F-Prot95.exe
• F-Stopw.exe
• Iamapp.exe
• Iamserv.exe
• Ibmasn.exe
• Ibmavsp.exe
• Icload95.exe
• Icloadnt.exe
• Icmon.exe
• Icsupp95.exe
• Icsuppnt.exe
• Iface.exe
• Iomon98.exe
• Jedi.exe
• Lockdown2000.exe
• Lookout.exe
• Luall.exe
• Moolive.exe
• Mpftray.exe
• N32scanw.exe
• Navapw32.exe
• Navlu32.exe
• Navnt.exe
• Navw32.exe
• Navwnt.exe
• Nisum.exe
• Nmain.exe
• Normist.exe
• Nupgrade.exe
• Nvc95.exe
• Outpost.exe
• Padmin.exe
• Pavcl.exe
• Pavsched.exe
• Pavw.exe
• Pccwin98.exe
• Pcfwallicon.exe
• Persfw.exe
• Rav7.exe
• Rav7win.exe
• Regedit.exe
• Rescue.exe
• Safeweb.exe
• Scan32.exe
• Scan95.exe
• Scanpm.exe
• Scrscan.exe
• Serv95.exe
• Sphinx.exe
• Sweep95.exe
• Tbscan.exe
• Tds2-98.exe
• Tds2-NT.exe
• Vet95.exe
• Vettray.exe
• Vscan40.exe
• Vsecomr.exe
• Vshwin32.exe
• Vsstat.exe
• Webscanx.exe
• Wfindv32.exe
• Zonealarm.exe

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Proactive detection: This threat is proactively detected as VB-BackDoor1.gen with the 4249+ DAT files and 4.2.40 engine, when scanning compressed executables with PROGRAM HEURISTICS enabled.

The worm displays similar characteristics to W32/Naco.a@MM and propagates via the following mechanisms:

• Mailing itself to Outlook contacts list
• Sharing itself over peer to peer file-sharing networks (eg. KaZaA, ICQ etc)
• Sharing itself over the local network

It arrives as an email attachment and also functions as a remote access trojan, enabling the hacker to connect to the victim machine.

The worm delivers multiple destructive payloads: it terminates the process(es) of various security-related applications and deletes their associated files, defaces websites, and deletes files.

Mass-Mailing

The worm mails itself with different attachment names to the Outlook contacts list, using Outlook to construct outgoing messages. Outgoing messages are formatted as follows:

Subject:

• Alert!
• Crack for Nokia LogoManager 1.3
• FoxNews Reporter: There are no Solution for SARS?
• Free SMS Via NACO SMS!
• Get Free SMTP Server at Click Here!
• Get Your Free XXX Password!
• Gotcha baby!
• Help me plz?
• Nelly Furtado!
• New Variant Anacon.D has been detected!
• New! Dragon Ball Fx
• News: US Goverment try to make wars with Tehran.
• Out of my heart?
• Patch for Microsoft Windows XP 64bit
• Re: are you married?(3)
• Seagate Baracuda 80GB for $???
• Small And Destrucive!
• TechTV: New Anti Virus Software
• TIPs: HOW TO DEFACE A WEBSERVER?
• What New in The ScreenSaver!
• Your FTP Password: iuahdf7d8hf

Message Body:

• Hello dear, I'm gonna missed you babe, hope we can see again! In Love, Rekcahlem ~<>~ Anacon
• Hi babe, Still missing me! I have send to you a special gift I made it my own. Just for you. Check it out the attachment. Your Love, Rekcahlem
• Great to see you again babe! This is file you want las week. Please don't distribute it to other. Regard, V.C.
• Attention! Please do not eat pork! The SARS virus may come from the pig. So becareful. For more information check the attachment. Regard, WTO
• (blank) You may not see the message because the message has been convert to the attachment. Please open an attachment to see the message.

Attachment: Can be any of the following:

• anacon32.exe
• naco.exe

P2P Propagation

The worm copies itself to P2P shared folders. It quires the registry to reteive program paths:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir

Next, it attempts to copy itself to discovered folders that contain the following strings:

• KMD\My Shared Folder
• My Shared Folder
• Lite\My Shared Folder
• My Grokster
• Shared
• Incoming

The following filenames are used to entice users to download/run the worm.

• About SARS Solution.exe
• Anacon The Great.exe
• DialUp.exe
• Dincracker eZine.exe
• Dont Eat Pork SARS in there.exe
• Downloader.exe
• fxanacon.exe
• Generate a Random PAssword.exe
• Get Lost.exe
• GetMorePower.exe
• Hack In 5 Minute.exe
• Hacker HandBook.exe
• HeavyMetal.exe
• Hide Your Mount.exe
• JackAndGinnie.exe
• La Intrusa.exe
• Lost YourPassword.exe
• MSWINSCK.exe
• NEW POWERTOY FOR WINXP.exe
• New Variant.exe
• NokiaPolyPhonic.exe
• OfficeXP.exe
• Oh Yeah Babe.exe
• Patch - jdbgmgr.exe
• Porta.exe
• Replacement Killer 2.exe
• Ripley Believe It Or Not.exe
• RosalindaAyamor
• SMTP OCX.exe
• Sucker.exe
• The Lost Jungle.exe
• The Matrix Reloaded Trailer.exe
• TIPS HOW TO CRACK SYMANTEC SERVER.exe
• Trailer DOOM III.exe
• Uninstal.exe
• VISE MINDVISION.exe
• WhatIsGoingOn.exe
• WindowsSecurity Patch.exe
• WinZip9Beta.exe

Remote Access Functionality

The worm also contains backdoor functionality. It listens on a varying port, and sends an email notification to the address chatza@phreaker.net. Data in the file indicates the following information is sent:

• EXE Backdoor Name:
• Operating System:
• Internet Explorer Version:
• Windows Directories:
• System Directories:
• Current Screen Resolution:
• Current Time:
• IP Address:
• Current Port Number:
• UserName:
• ComputerName:
• Cached Password: (For Win9x/Me Only)
• Host:
• Drive(s):
• Type of Drives:
• InternalName
• ICQ UINs:
• Sound Card:

The hacker can then connect to the victim's machine and perform functions such as:

• set CDAudio door open
• dropper a keylogger
• Updating the virus file from the link
  http://blocked.netlux.org/~melhacker/anaconIV.exe

DoS functionallity

The worm contains instructions to cause Denial of Service attack against these Israeli and Jewish websites

• 212.143.236.4
• 62.154.244.36
• 209.61.182.140
• 198.65.148.153
• 212.150.63.115
• 208.40.175.222
• 161.58.232.244
• 161.58.197.155
• 194.90.114.5
• 147.237.72.91

Website defacement

The worm tries to overwrite files in the \Inetpub\wwwroot folder:

• default.asp
• default.htm
• default.html
• index.asp
• index.htm
• index.html

The text reads: G02 WARNING! YOUR WEB SERVER HAS BEEN HACKED BY ANACON MELHACKER. Anacon G0t ya! By Melhacker

File deletion

The worm may delete all files on the C and D drives.

Symptoms

Symptoms -

Presence of the files and Registry keys detailed below.

Method of Infection

Method of Infection -

This worm spreads via email, peer to peer file-sharing networks and by sharing itself from the victim machine.

Upon execution of an infected attachment, the following files are installed onto the victim machine:

%SysDir%\ANACON32.EXE

(where %SysDir% is the Windows System directory, eg. C:\WINDOWS\SYSTEM)

The following keys are set to hook system startup :

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
  Run "Under20" = C:\WINNT\SYSTEM32\\ANACON32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "ALM" = C:\WINNT\SYSTEM32\\ANACON32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "Services" = C:\WINNT\SYSTEM32\\ANACON32.EXE

The following keys are added in order to share the local C:\:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares "HACKERz"

The worm uses the Mirabilis ICQ Agent application key to launch itself upon starting up ICQ by adding the following keys (certain key names are random):

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Enable" = Yes

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Parameters" =

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Path" = C:\WINDOWS\SYSTEM\\SYSPOLY32.EXE

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip "Startup" = Data: C:\WINDOWS\SYSTEM\

The following security-related applications are targetted. If found, processes are terminated and associated files are deleted (by creating a WININIT.INI on Windows 9x, with the relevant NUL=%filename% entries).

• Ackwin32.exe
• Anti-Trojan.exe
• Apvxdwin.exe
• Autodown.exe
• Avconsol.exe
• Ave32.exe
• Avgctrl.exe
• Avkserv.exe
• Avnt.exe
• Avp32.exe
• Avp32.exe
• Avpcc.exe
• Avpcc.exe
• Avpdos32.exe
• Avpm.exe
• Avpm.exe
• Avptc32.exe
• Avpupd.exe
• Avsched32.exe
• Avwin95.exe
• Avwupd32.exe
• Blackd.exe
• Blackice.exe
• Cfiadmin.exe
• Cfiaudit.exe
• Cfinet.exe
• Cfinet32.exe
• Claw95.exe
• Claw95cf.exe
• Cleaner.exe
• Cleaner3.exe
• Dvp95.exe
• Dvp95_0.exe
• Ecengine.exe
• Esafe.exe
• Espwatch.exe
• F-Agnt95.exe
• Findviru.exe
• Fprot.exe
• F-Prot.exe
• F-Prot95.exe
• F-Stopw.exe
• Iamapp.exe
• Iamserv.exe
• Ibmasn.exe
• Ibmavsp.exe
• Icload95.exe
• Icloadnt.exe
• Icmon.exe
• Icsupp95.exe
• Icsuppnt.exe
• Iface.exe
• Iomon98.exe
• Jedi.exe
• Lockdown2000.exe
• Lookout.exe
• Luall.exe
• Moolive.exe
• Mpftray.exe
• N32scanw.exe
• Navapw32.exe
• Navlu32.exe
• Navnt.exe
• Navw32.exe
• Navwnt.exe
• Nisum.exe
• Nmain.exe
• Normist.exe
• Nupgrade.exe
• Nvc95.exe
• Outpost.exe
• Padmin.exe
• Pavcl.exe
• Pavsched.exe
• Pavw.exe
• Pccwin98.exe
• Pcfwallicon.exe
• Persfw.exe
• Rav7.exe
• Rav7win.exe
• Regedit.exe
• Rescue.exe
• Safeweb.exe
• Scan32.exe
• Scan95.exe
• Scanpm.exe
• Scrscan.exe
• Serv95.exe
• Sphinx.exe
• Sweep95.exe
• Tbscan.exe
• Tds2-98.exe
• Tds2-NT.exe
• Vet95.exe
• Vettray.exe
• Vscan40.exe
• Vsecomr.exe
• Vshwin32.exe
• Vsstat.exe
• Webscanx.exe
• Wfindv32.exe
• Zonealarm.exe

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A