The worm's file is a PE executable 32768 bytes long, compressed with UPX file compressor. The uncompressed worm's file size is over 100 kilobytes. The worm has a backdoor (hacker's remote access tool) routine, can perform a DoS (Denial of Service) attack on certain servers, can destroy data on a hard drive.
Installation to system
To infect a system, the worm's file should be run by a user. When the worm's file is run, it copies itself to Windows System directory with ANACON32.EXE name and creates a startup keys for this file in System Registry:
"ALM" = "[path to worm's file]
"Under20" = "[path to worm's file]
"Under20" = "[path to worm's file]
"Services" = "[path to worm's file]
As a result of such actions, the worm's file will be loaded every time Windows starts.
Spreading in emails
The worm spreads itself as an attachment to email messages that it composes from its internal text strings.
The subject of an infected message can be one of the following:
Out of my heart?
New! Dragon Ball Fx
TIPs: HOW TO DEFACE A WEBSERVER?
What New in The ScreenSaver!
FoxNews Reporter: There are no Solution for SARS?
Get Your Free XXX Password!
Crack for Nokia LogoManager 1.3
Help me plz?
TechTV: New Anti Virus Software
News: US Goverment try to make wars with Tehran.
Re: are you married?(3)
Seagate Baracuda 80GB for $???
Small And Destrucive!
Alert! New Variant Anacon.D has been detected!
Free SMS Via NACO SMS!
Patch for Microsoft Windows XP 64bit
Your FTP Password: iuahdf7d8hf
Get Free SMTP Server at Click Here!
The body of an infected message can be:
I'm gonna missed you babe, hope we can see again!
Rekcahlem ~ ~ Anacon
Hi babe, Still missing me! I have send to you a special gift I
made it my own. Just for you. Check it out the attachment.
Great to see you again babe! This is file you want las week.
Please don't distribute it to other.
Please do not eat pork! The SARS virus may come from the pig. So
becareful. For more information check the attachment.
You may not see the message because the message has been convert
to the attachment. Please open an attachment to see the message.
The attachment name of an infected message is usually ANACON32.EXE, however we recived a few infected messages with attachments named NACO.EXE and with some other names, that are not listed in the worm's code.
Here's an example of how an infected message looks like:
Spreading in P2P (peer-to-peer) networks
The worm tries to locate shared folders of popular file sharing clients - Kazaa and Grokster and copies itself to these folders with the following names:
The Lost Jungle.mpg.exe
The Matrix Reloaded Trailer.jpg.exe
Replacement Killer 2.avi.exe
Trailer DOOM III.exe
Dont Eat Pork SARS in there.exe
About SARS Solution.doc.exe
TIPS HOW TO CRACK SYMANTEC SERVER.txt.exe
Hide Your Mount.exe
Patch - jdbgmgr.exe
NEW POWERTOY FOR WINXP.exe
Generate a Random PAssword.exe
Ripley Believe It Or Not.exe
Anacon The Great.exe
Hack In 5 Minute.exe
Oh Yeah Babe.exe
When someone downloads and runs any of these files, he/she becomes infected with the worm and it starts to spread further from a newly-infected computer.
The worm can kill tasks of certain anti-virus, security and other software and delete their files. The following software is affected:
The worm also stops Norton Anti-Virus Auto Protect Service, deletes files in C:\SafeWeb\ folder and destroys Trojan Defense Suit software.
On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month the worm can delete all files on C: drive, in Windows and Windows System directory and it can also format D: drive.
When the payload is activated, the worm displays a messagebox:
I miss you babe...
Additionally the worm tries to share infected computer's hard drives, so they become accessible from Internet.
If a worm discovers an IIS server on an infected computer, it deletes all .HTM, .HTML and .ASP files in the \Inetpub\wwwroot\ folder (root folder of a webserver) and creates several files there:
These files contain the following message that will be displayed if anyone connects to a webserver located on an infected computer:
WARNING! YOUR WEB SERVER HAS BEEN HACKED BY ANACON MELHACKER.
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
The worm can perform a Denial of Service (DoS) attack on the following servers:
(Israel Ministry of Foreign Affairs)
184.108.40.206 (Arutz Sheva - Israel National News)
220.127.116.11 (Jewish Virtual Library)
18.104.22.168 (Israel Travel and Hotels Guide)
(United States embassy in Israel)
The worm has backdoor capabilities. The worm listens to commands from remote computer. A hacker from a remote computer can perform the following actions on an infected computer:
- start/stop keylogger (records user's keystrokes)
- get and change display settings (resolution, wallpaper)
- restart or hang an infected computer
- get information about an infected computer
- get cached passwords
- get information about the backdoor
- get process list and terminate processes
- play media files
- open/close CD-ROM tray
- show/hide Task Bar
- change keyboard settings (enable/disable CTRL+ALT+DEL)
- remove backdoor
- enable/disable clipboard
- change mouse settings (enable/disable doubleclicking)
- display a messagebox
The stolen information is sent to 'email@example.com' email address via 'smtp.phreaker.net' server.