Naco.B

Threat description

Details

Summary

Naco.B worm was created by a virus writer called MelHacker to spread in e-mails, through P2P (peer-to-peer) networks. It is also designed to deface webservers that it infects. The worm contains backdoor and payload routines.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

It should be noted that the worm has a few bugs and doesn't work properly on some computers.

When an infected file is run, it extracts the main worm's component as NACO.EXE and a batch file into temporary folder. The NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System folder and a startup keys are created for that file in System Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PowerManagement" = "%winsysdir%\syspoly32.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AHU" = "%winsysdir%\syspoly32.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"InterceptedSystem" = "%winsysdir%\syspoly32.exe"

Where %winsysdir% represents Windows System directory. Also the worm creates the startup key for WARS.EXE file, but doesn't copy this file to Windows System folder.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Nocana" = "%winsysdir%\wars.exe"

Additionally the worm copies MSWINSCK.OCX library to Program Files folder and registers this OCX component.

After installation the worm starts spreading immediately. Messages sent by Naco.B worm can have one of the following subjects:

Do you happy?
Great News! Check it out now!

Just for Laught!

TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!

FoxNews Reporter: Hello! SARS Issue!

Get Free XXX Web Porn!

Oh, my girl!

Crack - Download Accerelator Plus 5.3.9

Do you remember me?

The ScreenSaver: Wireless Keyboard

VBCode: Prevent Your Application From Crack

Re: are you married?(1)

Download WinZip 9.0 Beta

Young and Dangerous 7

Alert! W32.Anacon.B@mm Worm Has been detected!

Run for your life!

Update: Microsoft Visual Studio .Net

Your Password: jad8aadf08

Tired to Search Anonymous SMTP Server?

The infected message body looks like that:

Hello dear,
I'm gonna missed you babe, hope we can see again!

In Love,

Rekcahlem ~ ~ Anacon

The attachment name is randomly selected from the following list:

anacon
build
force
scan
runtime
hangup
hungry
thing
against
wars

The attachment's extension is .EXE and the worm does not use any tricks to run that attachment automatically. The worm generates a large amount of messages. However in some cases messages sent by the worm do not contain any attachments.

The worm can copy itself to shared folders of Kazaa, Grokster, BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer clients with the following names:

The Matrix Evolution.mpg.exe

The Matrix Reloaded Preview.jpg.exe

Jonny English (JE).avi.exe

DOOM III Demo.exe

winamp3.exe

JugdeDread.exe

Microsoft Visual Studio.exe

gangXcop.exe

Upgrade you HandPhone.exe

About SARS Solution.doc.exe

Dont eat pork. SARS in there.jpg.exe

VISE.exe

MSVisual C++.exe

QuickInstaller.exe

Q111023.exe

jdbgmgr.exe

WindowsXP PowerToys.exe

InternationalDictionary.exe

EAGames.exe

SEX_HOTorCOOL.exe

The worm tries to kill processes of anti-virus and security software and tries to delete their files:

Zonealarm.exe

Wfindv32.exe

Webscanx.exe

Vsstat.exe

Vshwin32.exe

Vsecomr.exe

Vscan40.exe

Vettray.exe

Vet95.exe

Tds2-Nt.exe

Tds2-98.exe

Tca.exe

Tbscan.exe

Sweep95.exe

Sphinx.exe

Smc.exe

Serv95.exe

Scrscan.exe

Scanpm.exe

Scan95.exe

Scan32.exe

Safeweb.exe

Regedit.exe

Rescue.exe

Rav7win.exe

Rav7.exe

Persfw.exe

Pcfwallicon.exe

Pccwin98.exe

Pavw.exe

Pavsched.exe

Pavcl.exe

Padmin.exe

Outpost.exe

Nvc95.exe

Nupgrade.exe

Normist.exe

Nmain.exe

Nisum.exe

Navwnt.exe

Navw32.exe

Navnt.exe

Navlu32.exe

Navapw32.exe

N32scanw.exe

Mpftray.exe

Moolive.exe

Luall.exe

Lookout.exe

Lockdown2000.exe

Jedi.exe

Iomon98.exe

Iface.exe

Icsuppnt.exe

Icsupp95.exe

Icmon.exe

Icloadnt.exe

Icload95.exe

Ibmavsp.exe

Ibmasn.exe

Iamserv.exe

Iamapp.exe

Frw.exe

Fprot.exe

Fp-Win.exe

FindViru.exe

f-Stopw.exe

f-Prot95.exe

f-Prot.exe

f-Agnt95.exe

Espwatch.exe

Esafe.exe

Ecengine.exe

Dvp95_0.exe

Dvp95.exe

Cleaner3.exe

Cleaner.exe

Claw95cf.exe

Claw95.exe

Cfinet32.exe

Cfinet.exe

Cfiaudit.exe

Cfiadmin.exe

Blackice.exe

Blackd.exe

Avwupd32.exe

Avwin95.exe

Avshed32.exe

Avpupd.exe

Avptc32.exe

Avpm.exe

Avpdos32.exe

Avpcc.exe

Avp32.exe

Avp.exe

Avnt.exe

Avkonsol.exe

Avgctrl.exe

Ave32.exe

Avconsol.exe

AutoDown.exe

Avpxdwin.exe

Anti-Trojan.exe

Ackwin32.exe

_Avpm.exe

_Avpcc.exe

_Avp32.exe

If the worm locates a webserver on an infected computer, it defaces it by renaming the startup page files and replacing them with its own ones. The defaced webserver shows the following message:

I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!,
 Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!

The worm contains a backdoor routine that can provide a limited access to an infected system for remote hackers.

The worm has a dangerous time-triggered payload. On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete all files on C: drive, in current directory and it can also format D: drive.

When the payload is activated, the worm displays a messagebox:

Anacon W0rm
The only I have to say is, I need you babe!

Additionally the worm tries to share hard drives of an infected computer, so they could be accessible from Internet.

The worm can perform a DoS (Denial of Service) attack on the following servers:

212.143.236.4
(Israel Ministry of Foreign Affairs)
62.154.244.36
209.61.182.140 (Israel.com)
198.65.148.153 (Arutz Sheva - Israel National News)
212.150.63.115
208.40.175.222 (Jewish Virtual Library)
161.58.232.244
161.58.197.155 (Israel Travel and Hotels Guide)
194.90.114.5
 (United States embassy in Israel)
147.237.72.91
Detection

Detection of Naco.B worm is available in the following updates:

Detection Type: PC

Database: 2003-05-26_04

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info