It should be noted that the worm has a few bugs and doesn't work
properly on some computers.
When an infected file is run, it extracts the main worm's
component as NACO.EXE and a batch file into temporary folder. The
NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System
folder and a startup keys are created for that file in System
"PowerManagement" = "%winsysdir%\syspoly32.exe"
"AHU" = "%winsysdir%\syspoly32.exe"
"InterceptedSystem" = "%winsysdir%\syspoly32.exe"
Where %winsysdir% represents Windows System directory. Also the
worm creates the startup key for WARS.EXE file, but doesn't copy
this file to Windows System folder.
"Nocana" = "%winsysdir%\wars.exe"
Additionally the worm copies MSWINSCK.OCX library to Program
Files folder and registers this OCX component.
After installation the worm starts spreading immediately.
Messages sent by Naco.B worm can have one of the following
Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
The infected message body looks like that:
I'm gonna missed you babe, hope we can see again!
Rekcahlem ~<>~ Anacon
The attachment name is randomly selected from the following list:
The attachment's extension is .EXE and the worm does not use any
tricks to run that attachment automatically. The worm generates a
large amount of messages. However in some cases messages sent by
the worm do not contain any attachments.
The worm can copy itself to shared folders of Kazaa, Grokster,
BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer
clients with the following names:
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
Microsoft Visual Studio.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
The worm tries to kill processes of anti-virus and security
software and tries to delete their files:
If the worm locates a webserver on an infected computer, it
defaces it by renaming the startup page files and replacing them
with its own ones. The defaced webserver shows the following
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!,
Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
The worm contains a backdoor routine that can provide a limited
access to an infected system for remote hackers.
The worm has a dangerous time-triggered payload. On 1st, 4th,
8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete
all files on C: drive, in current directory and it can also
format D: drive.
When the payload is activated, the worm displays a messagebox:
The only I have to say is, I need you babe!
Additionally the worm tries to share hard drives of an infected
computer, so they could be accessible from Internet.
The worm can perform a DoS (Denial of Service) attack on the
126.96.36.199 (Israel Ministry of Foreign Affairs)
188.8.131.52 (Arutz Sheva - Israel National News)
184.108.40.206 (Jewish Virtual Library)
220.127.116.11 (Israel Travel and Hotels Guide)
18.104.22.168 (United States embassy in Israel)
Detection of Naco.B worm is available in the following updates:
[Description: Alexey Podrezov; F-Secure Corp.; May 26-27th, 2003]