Naco.B worm was created by a virus writer called MelHacker to spread in e-mails, through P2P (peer-to-peer) networks. It is also designed to deface webservers that it infects. The worm contains backdoor and payload routines.
Disinfection & Removal
It should be noted that the worm has a few bugs and doesn't work properly on some computers.
When an infected file is run, it extracts the main worm's component as NACO.EXE and a batch file into temporary folder. The NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System folder and a startup keys are created for that file in System Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "PowerManagement" = "%winsysdir%\syspoly32.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AHU" = "%winsysdir%\syspoly32.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "InterceptedSystem" = "%winsysdir%\syspoly32.exe"
Where %winsysdir% represents Windows System directory. Also the worm creates the startup key for WARS.EXE file, but doesn't copy this file to Windows System folder.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Nocana" = "%winsysdir%\wars.exe"
Additionally the worm copies MSWINSCK.OCX library to Program Files folder and registers this OCX component.
After installation the worm starts spreading immediately. Messages sent by Naco.B worm can have one of the following subjects:
Do you happy? Great News! Check it out now! Just for Laught! TIPs: HOW TO JUMP PC TO PC VIA INTERNET? What New in TechTV! FoxNews Reporter: Hello! SARS Issue! Get Free XXX Web Porn! Oh, my girl! Crack - Download Accerelator Plus 5.3.9 Do you remember me? The ScreenSaver: Wireless Keyboard VBCode: Prevent Your Application From Crack Re: are you married?(1) Download WinZip 9.0 Beta Young and Dangerous 7 Alert! W32.Anacon.B@mm Worm Has been detected! Run for your life! Update: Microsoft Visual Studio .Net Your Password: jad8aadf08 Tired to Search Anonymous SMTP Server?
The infected message body looks like that:
Hello dear, I'm gonna missed you babe, hope we can see again! In Love, Rekcahlem ~<>~ Anacon
The attachment name is randomly selected from the following list:
anacon build force scan runtime hangup hungry thing against wars
The attachment's extension is .EXE and the worm does not use any tricks to run that attachment automatically. The worm generates a large amount of messages. However in some cases messages sent by the worm do not contain any attachments.
The worm can copy itself to shared folders of Kazaa, Grokster, BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer clients with the following names:
The Matrix Evolution.mpg.exe The Matrix Reloaded Preview.jpg.exe Jonny English (JE).avi.exe DOOM III Demo.exe winamp3.exe JugdeDread.exe Microsoft Visual Studio.exe gangXcop.exe Upgrade you HandPhone.exe About SARS Solution.doc.exe Dont eat pork. SARS in there.jpg.exe VISE.exe MSVisual C++.exe QuickInstaller.exe Q111023.exe jdbgmgr.exe WindowsXP PowerToys.exe InternationalDictionary.exe EAGames.exe SEX_HOTorCOOL.exe
The worm tries to kill processes of anti-virus and security software and tries to delete their files:
Zonealarm.exe Wfindv32.exe Webscanx.exe Vsstat.exe Vshwin32.exe Vsecomr.exe Vscan40.exe Vettray.exe Vet95.exe Tds2-Nt.exe Tds2-98.exe Tca.exe Tbscan.exe Sweep95.exe Sphinx.exe Smc.exe Serv95.exe Scrscan.exe Scanpm.exe Scan95.exe Scan32.exe Safeweb.exe Regedit.exe Rescue.exe Rav7win.exe Rav7.exe Persfw.exe Pcfwallicon.exe Pccwin98.exe Pavw.exe Pavsched.exe Pavcl.exe Padmin.exe Outpost.exe Nvc95.exe Nupgrade.exe Normist.exe Nmain.exe Nisum.exe Navwnt.exe Navw32.exe Navnt.exe Navlu32.exe Navapw32.exe N32scanw.exe Mpftray.exe Moolive.exe Luall.exe Lookout.exe Lockdown2000.exe Jedi.exe Iomon98.exe Iface.exe Icsuppnt.exe Icsupp95.exe Icmon.exe Icloadnt.exe Icload95.exe Ibmavsp.exe Ibmasn.exe Iamserv.exe Iamapp.exe Frw.exe Fprot.exe Fp-Win.exe FindViru.exe f-Stopw.exe f-Prot95.exe f-Prot.exe f-Agnt95.exe Espwatch.exe Esafe.exe Ecengine.exe Dvp95_0.exe Dvp95.exe Cleaner3.exe Cleaner.exe Claw95cf.exe Claw95.exe Cfinet32.exe Cfinet.exe Cfiaudit.exe Cfiadmin.exe Blackice.exe Blackd.exe Avwupd32.exe Avwin95.exe Avshed32.exe Avpupd.exe Avptc32.exe Avpm.exe Avpdos32.exe Avpcc.exe Avp32.exe Avp.exe Avnt.exe Avkonsol.exe Avgctrl.exe Ave32.exe Avconsol.exe AutoDown.exe Avpxdwin.exe Anti-Trojan.exe Ackwin32.exe _Avpm.exe _Avpcc.exe _Avp32.exe
If the worm locates a webserver on an infected computer, it defaces it by renaming the startup page files and replacing them with its own ones. The defaced webserver shows the following message:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
The worm contains a backdoor routine that can provide a limited access to an infected system for remote hackers.
The worm has a dangerous time-triggered payload. On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete all files on C: drive, in current directory and it can also format D: drive.
When the payload is activated, the worm displays a messagebox:
Anacon W0rm The only I have to say is, I need you babe!
Additionally the worm tries to share hard drives of an infected computer, so they could be accessible from Internet.
The worm can perform a DoS (Denial of Service) attack on the following servers:
126.96.36.199 (Israel Ministry of Foreign Affairs) 188.8.131.52 184.108.40.206 (Israel.com) 220.127.116.11 (Arutz Sheva - Israel National News) 18.104.22.168 22.214.171.124 (Jewish Virtual Library) 126.96.36.199 188.8.131.52 (Israel Travel and Hotels Guide) 184.108.40.206 (United States embassy in Israel) 220.127.116.11
Detection of Naco.B worm is available in the following updates:
Detection Type: PC
Description Created: Alexey Podrezov; F-Secure Corp.; May 26-27th, 2003