Threat Description



Category: Malware
Platform: W32
Aliases: Naco.E, I-Worm.Nocana.e, W32/Naco.E@mm, W32.Naco.C@mm, Win32/Naco.D@mm, Anacon, Nocana, Naco


Naco.E worm was found late on June 2nd, 2003. It spreads via email and peer-to-peer networks. It also tries to steal or delete user's data. Additionally the worm has backdoor capabilities. The worm arrives in emails which subject, body text and attachment name vary.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm's file is a PE executable 32768 bytes long, compressed with UPX file compressor. The uncompressed worm's file size is over 100 kilobytes. The worm has a backdoor (hacker's remote access tool) routine, can perform a DoS (Denial of Service) attack on certain servers, can destroy data on a hard drive.

Installation to system

To infect a system, the worm's file should be run by a user. When the worm's file is run, it copies itself to Windows System directory with ANACON32.EXE name and creates a startup keys for this file in System Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "ALM" = "[path to worm's file]  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]  "Under20" = "[path to worm's file]  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]  "Under20" = "[path to worm's file]  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]  "Services" = "[path to worm's file] 

As a result of such actions, the worm's file will be loaded every time Windows starts.

Spreading in e-mails

The worm spreads itself as an attachment to e-mail messages that it composes from its internal text strings.

The subject of an infected message can be one of the following:

Out of my heart?  Nelly Furtado!  New! Dragon Ball Fx  TIPs: HOW TO DEFACE A WEBSERVER?  What New in The ScreenSaver!  FoxNews Reporter: There are no Solution for SARS?  Get Your Free XXX Password!  Gotcha baby!  Crack for Nokia LogoManager 1.3  Help me plz?  TechTV: New Anti Virus Software  News: US Goverment try to make wars with Tehran.  Re: are you married?(3)  Seagate Baracuda 80GB for $???  Small And Destrucive!  Alert! New Variant Anacon.D has been detected!  Free SMS Via NACO SMS!  Patch for Microsoft Windows XP 64bit  Your FTP Password: iuahdf7d8hf  Get Free SMTP Server at Click Here!  

The body of an infected message can be:

Hello dear,  I'm gonna missed you babe, hope we can see again!  In Love,  Rekcahlem ~ ~ Anacon  


Hi babe, Still missing me! I have send to you a special gift I  made it my own. Just for you. Check it out the attachment.  Your Love,  Rekcahlem  


Great to see you again babe! This is file you want las week.  Please don't distribute it to other.  Regard,  V.C.  


Attention!  Please do not eat pork! The SARS virus may come from the pig. So  becareful. For more information check the attachment.  Regard, WTO  


(blank)  You may not see the message because the message has been convert  to the attachment. Please open an attachment to see the message.  

The attachment name of an infected message is usually ANACON32.EXE, however we recived a few infected messages with attachments named NACO.EXE and with some other names, that are not listed in the worm's code.

Here's an example of how an infected message looks like:

Spreading in P2P (peer-to-peer) networks

The worm tries to locate shared folders of popular file sharing clients - Kazaa and Grokster and copies itself to these folders with the following names:

The Lost Jungle.mpg.exe  The Matrix Reloaded Trailer.jpg.exe  Replacement Killer 2.avi.exe  Trailer DOOM III.exe  WinZip9Beta.exe  WhatIsGoingOn.exe  NokiaPolyPhonic.exe  TNT.exe  Dont Eat Pork SARS in there.exe  About SARS Solution.doc.exe  TIPS HOW TO CRACK SYMANTEC SERVER.txt.exe  VISE MINDVISION.exe  Uninstal.exe  WindowsSecurity Patch.exe  Hide Your Mount.exe  Patch - jdbgmgr.exe  NEW POWERTOY FOR WINXP.exe  Generate a Random PAssword.exe  OfficeXP.exe  Ripley Believe It Or Not.exe  Anacon The Great.exe  New Variant.exe  SMTP OCX.exe  DialUp.pif  Lost YourPassword.txt.exe  Hack In 5 Minute.exe  Get Lost.exe  Oh Yeah Babe.exe  Sucker.exe  MSWINSCK.OCX.EXE  Downloader.exe  HeavyMetal.mp3.exe  JackAndGinnie.exe  RosalindaAyamor  GetMorePower.exe  Hacker HandBook.exe  Dincracker eZine.exe  La Intrusa.exe  Porta.exe  

When someone downloads and runs any of these files, he/she becomes infected with the worm and it starts to spread further from a newly-infected computer.


The worm can kill tasks of certain anti-virus, security and other software and delete their files. The following software is affected:

Zonealarm.exe  Wfindv32.exe  Webscanx.exe  Vsstat.exe  Vshwin32.exe  Vsecomr.exe  Vscan40.exe  Vettray.exe  Vet95.exe  Tds2-Nt.exe  Tds2-98.exe  Tca.exe  Tbscan.exe  Sweep95.exe  Sphinx.exe  Smc.exe  Serv95.exe  Scrscan.exe  Scanpm.exe  Scan95.exe  Scan32.exe  Safeweb.exe  Regedit.exe  Rescue.exe  Rav7win.exe  Rav7.exe  Persfw.exe  Pcfwallicon.exe  Pccwin98.exe  Pavw.exe  Pavsched.exe  Pavcl.exe  Padmin.exe  Outpost.exe  Nvc95.exe  Nupgrade.exe  Normist.exe  Nmain.exe  Nisum.exe  Navwnt.exe  Navw32.exe  Navnt.exe  Navlu32.exe  Navapw32.exe  N32scanw.exe  Mpftray.exe  Moolive.exe  Luall.exe  Lookout.exe  Lockdown2000.exe  Jedi.exe  Iomon98.exe  Iface.exe  Icsuppnt.exe  Icsupp95.exe  Icmon.exe  Icloadnt.exe  Icload95.exe  Ibmavsp.exe  Ibmasn.exe  Iamserv.exe  Iamapp.exe  Frw.exe  Fprot.exe  Fp-Win.exe  Findviru.exe  f-Stopw.exe  f-Prot95.exe  f-Prot.exe  f-Agnt95.exe  Espwatch.exe  Esafe.exe  Ecengine.exe  Dvp95_0.exe  Dvp95.exe  Cleaner3.exe  Cleaner.exe  Claw95cf.exe  Claw95.exe  Cfinet32.exe  Cfinet.exe  Cfiaudit.exe  Cfiadmin.exe  Blackice.exe  Blackd.exe  Avwupd32.exe  Avwin95.exe  Avsched32.exe  Avpupd.exe  Avptc32.exe  Avpm.exe  Avpdos32.exe  Avpcc.exe  Avp32.exe  Avp.exe  Avnt.exe  Avkserv.exe  Avgctrl.exe  Ave32.exe  Avconsol.exe  Autodown.exe  Apvxdwin.exe  Anti-Trojan.exe  Ackwin32.exe  _Avpm.exe  _Avpcc.exe  _Avp32.exe  

The worm also stops Norton Anti-Virus Auto Protect Service, deletes files in C:\SafeWeb\ folder and destroys Trojan Defense Suit software.

On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th day of a month the worm can delete all files on C: drive, in Windows and Windows System directory and it can also format D: drive.

When the payload is activated, the worm displays a messagebox:

Anacon III  I miss you babe...  W32.Anacon.D@mm  

Additionally the worm tries to share infected computer's hard drives, so they become accessible from Internet.

Defacing websites

If a worm discovers an IIS server on an infected computer, it deletes all .HTM, .HTML and .ASP files in the \Inetpub\wwwroot\ folder (root folder of a webserver) and creates several files there:

index.htm  default.htm  index.html  default.html  index.asp  default.asp  

These files contain the following message that will be displayed if anyone connects to a webserver located on an infected computer:

DoS Attack

The worm can perform a Denial of Service (DoS) attack on the following servers:  (Israel Ministry of Foreign Affairs) ( (Arutz Sheva - Israel National News) (Jewish Virtual Library) (Israel Travel and Hotels Guide)   (United States embassy in Israel)  

The worm has backdoor capabilities. The worm listens to commands from remote computer. A hacker from a remote computer can perform the following actions on an infected computer:

- start/stop keylogger (records user's keystrokes)  - get and change display settings (resolution, wallpaper)  - restart or hang an infected computer  - get information about an infected computer  - get cached passwords  - get information about the backdoor  - get process list and terminate processes  - play media files  - open/close CD-ROM tray  - show/hide Task Bar  - change keyboard settings (enable/disable CTRL+ALT+DEL)  - remove backdoor  - enable/disable clipboard  - change mouse settings (enable/disable doubleclicking)  - display a messagebox  

The stolen information is sent to '' e-mail address via '' server.


F-Secure Anti-Virus detects Naco.E worm with the updates published on June 2nd, 2003:
Database: 2003-06-02_02

Description Details: Katrin Tocheva, Alexey Podrezov; F-Secure Corp.; June 2nd-3rd, 2003


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More