Naco.F

Classification

Malware

-

-

Naco.F, I-Worm.Nocana.F, W32/Naco.F@mm, W32.Naco.D@mm, Anacon, Nocana, Naco

Summary

Naco.F worm was found on June 12th, 2003. It can spread via email and peer-to-peer networks. It also tries to steal or delete user's data. Additionally the worm has backdoor capabilities. The worm arrives in emails which subject, body text and attachment name vary.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This worm's variant is close to the previous one - Naco.E but it has much more bugs that can render an infected system inoperable shortly after infection. Out test workstation and Exchange server were jammed by a huge number of emails that the worm sent. Also on a test workstation there appeared numerous Registry Editor's import failure messageboxes..

The differences comparing to the previous version are as follows:

1. The worm drops itself to Windows System directory as CSRSS32.EXE file. There can be more than one copy of the worm in memory.

2. The worm's file is compressed with TELOCK file compressor. The compressed file's size is 45568 bytes.

3. Most of the worm's text strings are encrypted with a simple cryptoalgorithm. The worm dynamically decrypts its strings when it uses them.

4. The worm displays a different messageboxes:

W32.Anacon.F@mm
You are the most pretty girl I ever saw!
Anacon 6 W0rm
THanX f0r SupPoRted:
Dincracker, Foot-Art, PakBrain, Fady911x, Anacon, Axam, Sh4m_Skru, AjeedNASA,
Invisibleman, Zied666 and all my frenz...

5. The worm puts a different message on a defaced webserver:

Melhacker WhAcKeRs
Melhacker + Anacon Gotcha! New Version Of Anacon Worm!
You Are Hacked By WhAcKeRs Team!

6. The worm copies itself many times to Startup folder with random name that consists of four numbers. On our test system the worm created more than 250 files in Startup folder.

7. The worm sends itself in email usually as CSRSS32.EXE. It can also use a four-digit randomly generated name for its attachment, for example 5131.EXE. It should be noted that a recipient of an infected message will see a different attachment's name - CLIMBING.JPG with some email clients, for example with Microsoft Outlook while Netscape shows the attachment name correctly.

8. The worm can infect EXE files in Windows System directory. Due to bugs in the worm's code it can infect files multiple times.