Naco.B

Summary

---

Naco.B worm was created by a virus writer called MelHacker to spread in e-mails, through P2P (peer-to-peer) networks. It is also designed to deface webservers that it infects. The worm contains backdoor and payload routines.

Removal

---

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

More information on scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

---

It should be noted that the worm has a few bugs and doesn't work properly on some computers.

When an infected file is run, it extracts the main worm's component as NACO.EXE and a batch file into temporary folder. The NACO.EXE file is copied as SYSPOLY32.EXE file into Windows System folder and a startup keys are created for that file in System Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]  "PowerManagement" = "%winsysdir%\syspoly32.exe"  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "AHU" = "%winsysdir%\syspoly32.exe"  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]  "InterceptedSystem" = "%winsysdir%\syspoly32.exe"  

Where %winsysdir% represents Windows System directory. Also the worm creates the startup key for WARS.EXE file, but doesn't copy this file to Windows System folder.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "Nocana" = "%winsysdir%\wars.exe"  

Additionally the worm copies MSWINSCK.OCX library to Program Files folder and registers this OCX component.

After installation the worm starts spreading immediately. Messages sent by Naco.B worm can have one of the following subjects:

Do you happy?  Great News! Check it out now!  
Just for Laught!  
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?  What New in TechTV!  
FoxNews Reporter: Hello! SARS Issue!  
Get Free XXX Web Porn!  
Oh, my girl!  
Crack - Download Accerelator Plus 5.3.9  
Do you remember me?  
The ScreenSaver: Wireless Keyboard  
VBCode: Prevent Your Application From Crack  
Re: are you married?(1)  
Download WinZip 9.0 Beta  
Young and Dangerous 7  
Alert! W32.Anacon.B@mm Worm Has been detected!  
Run for your life!  
Update: Microsoft Visual Studio .Net  
Your Password: jad8aadf08  
Tired to Search Anonymous SMTP Server?  

The infected message body looks like that:

Hello dear,  I'm gonna missed you babe, hope we can see again!  
In Love,  
Rekcahlem ~ ~ Anacon  

The attachment name is randomly selected from the following list:

anacon  build  force  scan  runtime  hangup  hungry  thing  against  wars  

The attachment's extension is .EXE and the worm does not use any tricks to run that attachment automatically. The worm generates a large amount of messages. However in some cases messages sent by the worm do not contain any attachments.

The worm can copy itself to shared folders of Kazaa, Grokster, BearShare, LimeWire, Edonkey2000 and Morpheus peer-to-peer clients with the following names:

The Matrix Evolution.mpg.exe  
The Matrix Reloaded Preview.jpg.exe  
Jonny English (JE).avi.exe  
DOOM III Demo.exe  
winamp3.exe  
JugdeDread.exe  
Microsoft Visual Studio.exe  
gangXcop.exe  
Upgrade you HandPhone.exe  
About SARS Solution.doc.exe  
Dont eat pork. SARS in there.jpg.exe  
VISE.exe  
MSVisual C++.exe  
QuickInstaller.exe  
Q111023.exe  
jdbgmgr.exe  
WindowsXP PowerToys.exe  
InternationalDictionary.exe  
EAGames.exe  
SEX_HOTorCOOL.exe  

The worm tries to kill processes of anti-virus and security software and tries to delete their files:

Zonealarm.exe  
Wfindv32.exe  
Webscanx.exe  
Vsstat.exe  
Vshwin32.exe  
Vsecomr.exe  
Vscan40.exe  
Vettray.exe  
Vet95.exe  
Tds2-Nt.exe  
Tds2-98.exe  
Tca.exe  
Tbscan.exe  
Sweep95.exe  
Sphinx.exe  
Smc.exe  
Serv95.exe  
Scrscan.exe  
Scanpm.exe  
Scan95.exe  
Scan32.exe  
Safeweb.exe  
Regedit.exe  
Rescue.exe  
Rav7win.exe  
Rav7.exe  
Persfw.exe  
Pcfwallicon.exe  
Pccwin98.exe  
Pavw.exe  
Pavsched.exe  
Pavcl.exe  
Padmin.exe  
Outpost.exe  
Nvc95.exe  
Nupgrade.exe  
Normist.exe  
Nmain.exe  
Nisum.exe  
Navwnt.exe  
Navw32.exe  
Navnt.exe  
Navlu32.exe  
Navapw32.exe  
N32scanw.exe  
Mpftray.exe  
Moolive.exe  
Luall.exe  
Lookout.exe  
Lockdown2000.exe  
Jedi.exe  
Iomon98.exe  
Iface.exe  
Icsuppnt.exe  
Icsupp95.exe  
Icmon.exe  
Icloadnt.exe  
Icload95.exe  
Ibmavsp.exe  
Ibmasn.exe  
Iamserv.exe  
Iamapp.exe  
Frw.exe  
Fprot.exe  
Fp-Win.exe  
FindViru.exe  
f-Stopw.exe  
f-Prot95.exe  
f-Prot.exe  
f-Agnt95.exe  
Espwatch.exe  
Esafe.exe  
Ecengine.exe  
Dvp95_0.exe  
Dvp95.exe  
Cleaner3.exe  
Cleaner.exe  
Claw95cf.exe  
Claw95.exe  
Cfinet32.exe  
Cfinet.exe  
Cfiaudit.exe  
Cfiadmin.exe  
Blackice.exe  
Blackd.exe  
Avwupd32.exe  
Avwin95.exe  
Avshed32.exe  
Avpupd.exe  
Avptc32.exe  
Avpm.exe  
Avpdos32.exe  
Avpcc.exe  
Avp32.exe  
Avp.exe  
Avnt.exe  
Avkonsol.exe  
Avgctrl.exe  
Ave32.exe  
Avconsol.exe  
AutoDown.exe  
Avpxdwin.exe  
Anti-Trojan.exe  
Ackwin32.exe  
_Avpm.exe  
_Avpcc.exe  
_Avp32.exe  

If the worm locates a webserver on an infected computer, it defaces it by renaming the startup page files and replacing them with its own ones. The defaced webserver shows the following message:

I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!,   Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE  Anacon G0t ya! By Melhacker - dA r34L #4(k3R!  

The worm contains a backdoor routine that can provide a limited access to an infected system for remote hackers.

The worm has a dangerous time-triggered payload. On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month it can delete all files on C: drive, in current directory and it can also format D: drive.

When the payload is activated, the worm displays a messagebox:

Anacon W0rm  The only I have to say is, I need you babe!  

Additionally the worm tries to share hard drives of an infected computer, so they could be accessible from Internet.

The worm can perform a DoS (Denial of Service) attack on the following servers:

212.143.236.4  (Israel Ministry of Foreign Affairs)  62.154.244.36  209.61.182.140 (Israel.com)  198.65.148.153 (Arutz Sheva - Israel National News)  212.150.63.115  208.40.175.222 (Jewish Virtual Library)  161.58.232.244  161.58.197.155 (Israel Travel and Hotels Guide)  194.90.114.5   (United States embassy in Israel)  147.237.72.91  

Detection

---

Detection of Naco.B worm is available in the following updates:

Detection Type: PC
Database: 2003-05-26_04

Description Details: Alexey Podrezov; F-Secure Corp.; May 26-27th, 2003