It should be noted that the worm has a few bugs and doesn't work properly on some computers.
When an infected file is run, it extracts the main worm's component as NACO.EXE and a batch file into temporary folder. The NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System folder and a startup keys are created for that file in System Registry:
"PowerManagement" = "%winsysdir%\syspoly32.exe"
"AHU" = "%winsysdir%\syspoly32.exe"
"InterceptedSystem" = "%winsysdir%\syspoly32.exe"
Where %winsysdir% represents Windows System directory. Also the worm creates the startup key for WARS.EXE file, but doesn't copy this file to Windows System folder.
"Nocana" = "%winsysdir%\wars.exe"
Additionally the worm copies MSWINSCK.OCX library to Program Files folder and registers this OCX component.
After installation the worm starts spreading immediately. Messages sent by Naco.B worm can have one of the following subjects:
Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
The infected message body looks like that:
I'm gonna missed you babe, hope we can see again!
Rekcahlem ~ ~ Anacon
The attachment name is randomly selected from the following list:
The attachment's extension is .EXE and the worm does not use any tricks to run that attachment automatically. The worm generates a large amount of messages. However in some cases messages sent by the worm do not contain any attachments.
The worm can copy itself to shared folders of Kazaa, Grokster, BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer clients with the following names:
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
Microsoft Visual Studio.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
The worm tries to kill processes of anti-virus and security software and tries to delete their files:
If the worm locates a webserver on an infected computer, it defaces it by renaming the startup page files and replacing them with its own ones. The defaced webserver shows the following message:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!,
Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
The worm contains a backdoor routine that can provide a limited access to an infected system for remote hackers.
The worm has a dangerous time-triggered payload. On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete all files on C: drive, in current directory and it can also format D: drive.
When the payload is activated, the worm displays a messagebox:
The only I have to say is, I need you babe!
Additionally the worm tries to share hard drives of an infected computer, so they could be accessible from Internet.
The worm can perform a DoS (Denial of Service) attack on the following servers:
(Israel Ministry of Foreign Affairs)
220.127.116.11 (Arutz Sheva - Israel National News)
18.104.22.168 (Jewish Virtual Library)
22.214.171.124 (Israel Travel and Hotels Guide)
(United States embassy in Israel)