It should be noted that the worm has a few bugs and doesn't work properly on some computers.
When an infected file is run, it extracts the main worm's component as NACO.EXE and a batch file into temporary folder. The NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System folder and a startup keys are created for that file in System Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PowerManagement" = "%winsysdir%\syspoly32.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AHU" = "%winsysdir%\syspoly32.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"InterceptedSystem" = "%winsysdir%\syspoly32.exe"
Where %winsysdir% represents Windows System directory. Also the worm creates the startup key for WARS.EXE file, but doesn't copy this file to Windows System folder.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Nocana" = "%winsysdir%\wars.exe"
Additionally the worm copies MSWINSCK.OCX library to Program Files folder and registers this OCX component.
After installation the worm starts spreading immediately. Messages sent by Naco.B worm can have one of the following subjects:
Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
The infected message body looks like that:
Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~ ~ Anacon
The attachment name is randomly selected from the following list:
anacon
build
force
scan
runtime
hangup
hungry
thing
against
wars
The attachment's extension is .EXE and the worm does not use any tricks to run that attachment automatically. The worm generates a large amount of messages. However in some cases messages sent by the worm do not contain any attachments.
The worm can copy itself to shared folders of Kazaa, Grokster, BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer clients with the following names:
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
winamp3.exe
JugdeDread.exe
Microsoft Visual Studio.exe
gangXcop.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
VISE.exe
MSVisual C++.exe
QuickInstaller.exe
Q111023.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
InternationalDictionary.exe
EAGames.exe
SEX_HOTorCOOL.exe
The worm tries to kill processes of anti-virus and security software and tries to delete their files:
Zonealarm.exe
Wfindv32.exe
Webscanx.exe
Vsstat.exe
Vshwin32.exe
Vsecomr.exe
Vscan40.exe
Vettray.exe
Vet95.exe
Tds2-Nt.exe
Tds2-98.exe
Tca.exe
Tbscan.exe
Sweep95.exe
Sphinx.exe
Smc.exe
Serv95.exe
Scrscan.exe
Scanpm.exe
Scan95.exe
Scan32.exe
Safeweb.exe
Regedit.exe
Rescue.exe
Rav7win.exe
Rav7.exe
Persfw.exe
Pcfwallicon.exe
Pccwin98.exe
Pavw.exe
Pavsched.exe
Pavcl.exe
Padmin.exe
Outpost.exe
Nvc95.exe
Nupgrade.exe
Normist.exe
Nmain.exe
Nisum.exe
Navwnt.exe
Navw32.exe
Navnt.exe
Navlu32.exe
Navapw32.exe
N32scanw.exe
Mpftray.exe
Moolive.exe
Luall.exe
Lookout.exe
Lockdown2000.exe
Jedi.exe
Iomon98.exe
Iface.exe
Icsuppnt.exe
Icsupp95.exe
Icmon.exe
Icloadnt.exe
Icload95.exe
Ibmavsp.exe
Ibmasn.exe
Iamserv.exe
Iamapp.exe
Frw.exe
Fprot.exe
Fp-Win.exe
FindViru.exe
f-Stopw.exe
f-Prot95.exe
f-Prot.exe
f-Agnt95.exe
Espwatch.exe
Esafe.exe
Ecengine.exe
Dvp95_0.exe
Dvp95.exe
Cleaner3.exe
Cleaner.exe
Claw95cf.exe
Claw95.exe
Cfinet32.exe
Cfinet.exe
Cfiaudit.exe
Cfiadmin.exe
Blackice.exe
Blackd.exe
Avwupd32.exe
Avwin95.exe
Avshed32.exe
Avpupd.exe
Avptc32.exe
Avpm.exe
Avpdos32.exe
Avpcc.exe
Avp32.exe
Avp.exe
Avnt.exe
Avkonsol.exe
Avgctrl.exe
Ave32.exe
Avconsol.exe
AutoDown.exe
Avpxdwin.exe
Anti-Trojan.exe
Ackwin32.exe
_Avpm.exe
_Avpcc.exe
_Avp32.exe
If the worm locates a webserver on an infected computer, it defaces it by renaming the startup page files and replacing them with its own ones. The defaced webserver shows the following message:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!,
Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
The worm contains a backdoor routine that can provide a limited access to an infected system for remote hackers.
The worm has a dangerous time-triggered payload. On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete all files on C: drive, in current directory and it can also format D: drive.
When the payload is activated, the worm displays a messagebox:
Anacon W0rm
The only I have to say is, I need you babe!
Additionally the worm tries to share hard drives of an infected computer, so they could be accessible from Internet.
The worm can perform a DoS (Denial of Service) attack on the following servers:
212.143.236.4
(Israel Ministry of Foreign Affairs)
62.154.244.36
209.61.182.140 (Israel.com)
198.65.148.153 (Arutz Sheva - Israel National News)
212.150.63.115
208.40.175.222 (Jewish Virtual Library)
161.58.232.244
161.58.197.155 (Israel Travel and Hotels Guide)
194.90.114.5
(United States embassy in Israel)
147.237.72.91