Alias:W32.Naco.B@mm, Nocana.b
Type:Worm 
Size:86,016 bytes 
Origin:unknown 
Date:05-26-2003 
Damage:Mass mailer, DoS attacker, backdoor 
VDF Version:6.19.00.21 
Danger:Medium 
Distribution:Low 

General DescriptionThis is a mass mailer. It has a file size of 86,016 bytes and it was programmed in Visual Basic (VB). So the worm always needs the VB Runtime Libraries for activating its viral code. Worm/Anacon spreads itself over P2P file-sharing networks as KaZaA, Morpheus, Edonkey2000 and so on, and it also has a backdoor routine. It is able to terminate a number of active processes which it sees as firewall or antivirus applications.

SymptomsThe appearance of the files and registry entries written below.

DistributionP2P file-sharing networks like KaZaA, Morpheus, Edonkey2000 and so on.

Technical DetailsWorm/Anacon has a file size of 86,016 bytes. It was programmed in Microsoft Visual Basic, therefore it needs its Runtime Libraries to activate its viral code. When activated, Worm/Anacon copies itself as "syspoly32.exe" and creates the following files:

* \%Windir%\%System%\syspoly32.exe (86.016 Bytes)
* \%Windir%\%System%\Wars.exe (137.651 Bytes)

Then it makes the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"Nocana"="\\%Windir%\\%System%\wars.exe"
"AHU"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices]
"InterceptedSystem"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

* [HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"PowerManagement"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

The worm can terminate a number of active Firewall or antivirus processes:
Zonealarm.exe, Wfindv32.exe, Webscanx.exe, Vsstat.exe, Vshwin32.exe, Vsecomr.exe, Vscan40.exe, Vettray.exe, Vet95.exe, ds2-Nt.exe , Tds2-98.exe, Tca.exe, Tbscan.exe, Sweep95.exe, Sphinx.exe, Smc.exe, Serv95.exe, Scrscan.exe, Scanpm.exe, Scan95.exe, Scan32.exe , Safeweb.exe, Regedit.exe, Rescue.exe, Rav7win.exe, Rav7.exe, Persfw.exe, Pcfwallicon.exe, Pccwin98.exe, Pavw.exe, Pavsched.exe, Pavcl.exe, Padmin.exe, Outpost.exe, Nvc95.exe, Nupgrade.exe, Normist.exe, Nmain.exe, Nisum.exe, Navwnt.exe, Navw32.exe, Navnt.exe ,Navlu32.exe, Navapw32.exe, N32scanw.exe, Mpftray.exe, Moolive.exe, Luall.exe, Lookout.exe, Lockdown2000.exe, Jedi.exe, Iomon98.exe, Iface.exe, Icsuppnt.exe, Icsupp95.exe, Icmon.exe, Icloadnt.exe, Icload95.exe, Ibmavsp.exe, Ibmasn.exe, Iamserv.exe, Iamapp.exe, Frw.exe, Fprot.exe, Fp-Win.exe, Findviru.exe, f-Stopw.exe, f-Prot95.exe,f-Prot.exe, f-Agnt95.exe, Espwatch.exe, Esafe.exe, Ecengine.exe, Dvp95_0.exe, Dvp95.exe, Cleaner3.exe, Cleaner.exe, Claw95cf.exe, Claw95.exe, Cfinet32.exe, Cfinet.exe, Cfiaudit.exe, Cfiadmin.exe, Blackice.exe, Blackd.exe, Avwupd32.exe, Avwin95.exe,Avsched32.exe, Avpupd.exe, Avptc32.exe, Avpm.exe, Avpdos32.exe, Avpcc.exe, Avp32.exe, Avp.exe, Avnt.exe, Avkserv.exe, Avgctrl.exe , Ave32.exe, Avconsol.exe, Autodown.exe, Apvxdwin.exe, Anti-Trojan.exe, Ackwin32.exe, _Avpm.exe, _Avpcc.exe, _Avp32.exe.

The worm can send itself by email to all addresses found in the Windows Address book (WAB). Such an email has the following characteristics:

* Subject:
What New in TechTV! or
Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?[1]
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
<blank.subject>

* Body:
Hello dear,

I'm goona missed you babe, hope we can see again!

In Love,
Rekcahlem ~<>~Anacon

* Attachment:
Wars.exe

In order to spread over Peer-to-Peer (P2P) file-sharing networks, the worm searches for the following paths:

* %Programs%\KMD\My Shared Folder\
* %Programs%\Kazaa\My Shared Folder\
* %Programs%\KaZaA Lite\My Shared Folder\
* %Programs%\Morpheus\My Shared Folder\
* %Programs%\Grokster\My Grokster\
* %Programs%\BearShare\Shared\
* %Programs%\Edonkey2000\Incoming\
* %Programs%\limewire\Shared\

If it finds one or more of the above paths, the worm copies itself there under different names:
* The Matrix Evolution.mpg.exe
* The Matrix Reloaded Preview.jpg.exe
* Jonny English (JE).avi.exe
* DOOM III Demo.exe
* winamp3.exe
* JugdeDread.exe
* Microsoft Visual Studio.exe
* gangXcop.exe
* Upgrade you HandPhone.exe
* About SARS Solution.doc.exe
* Dont eat pork. SARS in there.jpg.exe
* VISE.exe
* MSVisual C++.exe
* QuickInstaller.exe
* Q111023.exe
* jdbgmgr.exe
* WindowsXP PowerToys.exe
* InternationalDictionary.exe
* EAGames.exe
* SEX_HOTorCOOL.exe

Worm/Anacon can run DoS attacks using certain IP addresses:
* 212.150.63.115
* 212.143.236.4
* 209.61.182.140
* 208.40.175.222
* 198.65.148.153
* 194.90.114.5
* 161.58.232.244
* 161.58.197.155
* 147.237.72.91
* 62.154.244.36

Manual Remove Instructions-for Windows 200/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%Windir%\%System%\syspoly32.exe (86.016 Bytes)
* \%Windir%\%System%\Wars.exe (137.651 Bytes)

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"Nocana"="\\%Windir%\\%System%\wars.exe"
"AHU"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices]
"InterceptedSystem"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

* [HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"PowerManagement"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%Windir%\%System%\syspoly32.exe (86.016 Bytes)
* \%Windir%\%System%\Wars.exe (137.651 Bytes)

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"Nocana"="\\%Windir%\\%System%\wars.exe"
"AHU"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices]
"InterceptedSystem"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

* [HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"PowerManagement"="\\%Windir%\\%System%\\SYSPOLY32.EXE"

Restart your computer.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. Tutti i diritti riservati.

Il Mio Account

https:// Questa finestra è criptata per tua sicurezza.