Threat Description

Naco.B

Details

Aliases:Naco.B, I-Worm.Nocana.b, Nocana, Naco_B, Naco, Anacon
Category: Malware
Type:
Platform: W32

Summary



Naco.B worm was created by a virus writer called MelHacker to spread in e-mails, through P2P (peer-to-peer) networks. It is also designed to deface webservers that it infects. The worm contains backdoor and payload routines.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



It should be noted that the worm has a few bugs and doesn't work properly on some computers.

When an infected file is run, it extracts the main worm's component as NACO.EXE and a batch file into temporary folder. The NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System folder and a startup keys are created for that file in System Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "PowerManagement" = "%winsysdir%\syspoly32.exe"
 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "AHU" = "%winsysdir%\syspoly32.exe"
 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "InterceptedSystem" = "%winsysdir%\syspoly32.exe"

Where %winsysdir% represents Windows System directory. Also the worm creates the startup key for WARS.EXE file, but doesn't copy this file to Windows System folder.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "Nocana" = "%winsysdir%\wars.exe"

Additionally the worm copies MSWINSCK.OCX library to Program Files folder and registers this OCX component.

After installation the worm starts spreading immediately. Messages sent by Naco.B worm can have one of the following subjects:

Do you happy?
 Great News! Check it out now!
 Just for Laught!
 TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
 What New in TechTV!
 FoxNews Reporter: Hello! SARS Issue!
 Get Free XXX Web Porn!
 Oh, my girl!
 Crack - Download Accerelator Plus 5.3.9
 Do you remember me?
 The ScreenSaver: Wireless Keyboard
 VBCode: Prevent Your Application From Crack
 Re: are you married?(1)
 Download WinZip 9.0 Beta
 Young and Dangerous 7
 Alert! W32.Anacon.B@mm Worm Has been detected!
 Run for your life!
 Update: Microsoft Visual Studio .Net
 Your Password: jad8aadf08
 Tired to Search Anonymous SMTP Server?

The infected message body looks like that:

Hello dear,
 I'm gonna missed you babe, hope we can see again!
 In Love,
 Rekcahlem ~<>~ Anacon

The attachment name is randomly selected from the following list:

anacon
 build
 force
 scan
 runtime
 hangup
 hungry
 thing
 against
 wars

The attachment's extension is .EXE and the worm does not use any tricks to run that attachment automatically. The worm generates a large amount of messages. However in some cases messages sent by the worm do not contain any attachments.

The worm can copy itself to shared folders of Kazaa, Grokster, BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer clients with the following names:

The Matrix Evolution.mpg.exe
 The Matrix Reloaded Preview.jpg.exe
 Jonny English (JE).avi.exe
 DOOM III Demo.exe
 winamp3.exe
 JugdeDread.exe
 Microsoft Visual Studio.exe
 gangXcop.exe
 Upgrade you HandPhone.exe
 About SARS Solution.doc.exe
 Dont eat pork. SARS in there.jpg.exe
 VISE.exe
 MSVisual C++.exe
 QuickInstaller.exe
 Q111023.exe
 jdbgmgr.exe
 WindowsXP PowerToys.exe
 InternationalDictionary.exe
 EAGames.exe
 SEX_HOTorCOOL.exe

The worm tries to kill processes of anti-virus and security software and tries to delete their files:

Zonealarm.exe
 Wfindv32.exe
 Webscanx.exe
 Vsstat.exe
 Vshwin32.exe
 Vsecomr.exe
 Vscan40.exe
 Vettray.exe
 Vet95.exe
 Tds2-Nt.exe
 Tds2-98.exe
 Tca.exe
 Tbscan.exe
 Sweep95.exe
 Sphinx.exe
 Smc.exe
 Serv95.exe
 Scrscan.exe
 Scanpm.exe
 Scan95.exe
 Scan32.exe
 Safeweb.exe
 Regedit.exe
 Rescue.exe
 Rav7win.exe
 Rav7.exe
 Persfw.exe
 Pcfwallicon.exe
 Pccwin98.exe
 Pavw.exe
 Pavsched.exe
 Pavcl.exe
 Padmin.exe
 Outpost.exe
 Nvc95.exe
 Nupgrade.exe
 Normist.exe
 Nmain.exe
 Nisum.exe
 Navwnt.exe
 Navw32.exe
 Navnt.exe
 Navlu32.exe
 Navapw32.exe
 N32scanw.exe
 Mpftray.exe
 Moolive.exe
 Luall.exe
 Lookout.exe
 Lockdown2000.exe
 Jedi.exe
 Iomon98.exe
 Iface.exe
 Icsuppnt.exe
 Icsupp95.exe
 Icmon.exe
 Icloadnt.exe
 Icload95.exe
 Ibmavsp.exe
 Ibmasn.exe
 Iamserv.exe
 Iamapp.exe
 Frw.exe
 Fprot.exe
 Fp-Win.exe
 FindViru.exe
 f-Stopw.exe
 f-Prot95.exe
 f-Prot.exe
 f-Agnt95.exe
 Espwatch.exe
 Esafe.exe
 Ecengine.exe
 Dvp95_0.exe
 Dvp95.exe
 Cleaner3.exe
 Cleaner.exe
 Claw95cf.exe
 Claw95.exe
 Cfinet32.exe
 Cfinet.exe
 Cfiaudit.exe
 Cfiadmin.exe
 Blackice.exe
 Blackd.exe
 Avwupd32.exe
 Avwin95.exe
 Avshed32.exe
 Avpupd.exe
 Avptc32.exe
 Avpm.exe
 Avpdos32.exe
 Avpcc.exe
 Avp32.exe
 Avp.exe
 Avnt.exe
 Avkonsol.exe
 Avgctrl.exe
 Ave32.exe
 Avconsol.exe
 AutoDown.exe
 Avpxdwin.exe
 Anti-Trojan.exe
 Ackwin32.exe
 _Avpm.exe
 _Avpcc.exe
 _Avp32.exe

If the worm locates a webserver on an infected computer, it defaces it by renaming the startup page files and replacing them with its own ones. The defaced webserver shows the following message:

I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!,
  Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
 Anacon G0t ya! By Melhacker - dA r34L #4(k3R!

The worm contains a backdoor routine that can provide a limited access to an infected system for remote hackers.

The worm has a dangerous time-triggered payload. On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete all files on C: drive, in current directory and it can also format D: drive.

When the payload is activated, the worm displays a messagebox:

Anacon W0rm
 The only I have to say is, I need you babe!

Additionally the worm tries to share hard drives of an infected computer, so they could be accessible from Internet.

The worm can perform a DoS (Denial of Service) attack on the following servers:

212.143.236.4  (Israel Ministry of Foreign Affairs)
 62.154.244.36
 209.61.182.140 (Israel.com)
 198.65.148.153 (Arutz Sheva - Israel National News)
 212.150.63.115
 208.40.175.222 (Jewish Virtual Library)
 161.58.232.244
 161.58.197.155 (Israel Travel and Hotels Guide)
 194.90.114.5(United States embassy in Israel)
 147.237.72.91


Detection


Detection of Naco.B worm is available in the following updates:
Detection Type: PC
Database: 2003-05-26_04



Description Created: Alexey Podrezov; F-Secure Corp.; May 26-27th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More