This worm spreads via email, popular peer-to-peer networks and network shares. However, due to bugs in its codes, it fails to carry out its intended routines.
Upon execution, this worm drops a copy of itself as ANACON.EXE in the Windows system folder.
The Windows system folder is usually C:\Windows\System on Windows 95, 98, and ME, C:\Windows\System32 on Windows XP, and C:\WINNT\System32 on Windows NT and 2000.
To ensure that it runs at every Windows startup, it adds the following autorun entries in the registry:
AHU = "%System%\ANACON.EXE"
Hvewsveqmg = "%System%\ANACON.EXE"
Cvfjx = "%System%\ANACON.EXE"
Once the worm is active in memory, it propagates by utilizing MAPI (Messaging Application Programming Interface) to send email messages with itself as an attachment to all recipients found in the Microsoft Outlook address book.
The email message that it sends out has the following characteristics:
Subject: <usually blank or any of the following>
� Do you happy?
� Riyadh Issue: Al-Qaeda vs FBI
� Osama Bin Laden Come Back!
� Al-Qaeda News: Bombing Mission Success!
� Check This Out!
� Re: can mali can!
� Al-Qaeda Team Entertainment News
� [AQTE News]
� Al-Jazeera: AQTE Come back!
� Hi, may I read your mind?
� Acheh Issue: What Solution!
� Saddam Hussein Still alive
� Iraqi people don't want US Control.
� Let's Iraqi people build their country.
� Download New 256-Bit Encryption Software
� Alert! W32.HLLW.Anacon@mm Worm Has been detected!
� Register you Windows Now!
� Get free update Microsoft Windows Media Player
� TIPS: How to hide your IP Address!
� How to Protect you PC from Hackers!
Once I was first saw you, I was fall in love! Even you are already has special friend!
Fall In Love,
Rekcahlem ~=~ Anacon
The email attachment name varies and is usually the file name of the worm when it is run. Thus, if the file name of the worm is NACO.EXE, and it is run, then it uses NACO.EXE as its attachment name.
It also usues ANAKON.JPG as its attachment file name in certain email clients and is confirmed in Outlook.
Peer-to-Peer Network Propagation
This worm also propagates by sharing copies of itself using enticing file names in various peer-to-peer, file-sharing networks. It does this by querying the following registry key:
It looks for the Program Files folder and performs a search in this folder for the following default shared folders of P2P applications:
- \KMD\My Shared Folder
- \Kazaa\My Shared Folder
- \KaZaA Lite\My Shared Folder
- \Morpheus\My Shared Folder
- \Grokster\My Grokster
Then, the worm copies the following files to the default shared folders listed above:
- X-Men II Trailer.mpg.exe
- The Matrix Reloaded.jpg.exe
- Jonny English (JE).avi.exe
- About SARS Solution.doc.exe
- Dont eat pork.. SARS in there.jpg.exe
- MSVisual C%20%20.exe
- WindowsXP PowerToys.exe
- WMovie Maker II.exe
This enables copies of the worm to be readily available for download by other file-sharing network users.
The worm also shares the local drive C:\ by adding the following registry keys, each of them containing the registry value, �HACKERz�:
After performing its malicious routines, the worm terminates and does not stay resident in memory.
This worm is also designed to function as a backdoor and terminate and delete the following antivirus and firewall programs if found active in memory:
It is also designed to deface Web pages on the default \Inetpub\wwwroot\ folder of IIS installed by renaming files as follows:
- index.htm renamed to Anacon_Index.htm
- default.htm renamed to Anacon_Default.htm
- index.html renamed to Anacon_Index.html
- default.html renamed to Anacon_Default.html
- index.asp renamed to Anacon_Index.asp
- default.asp renamed to Anacon_Default.asp
Then, it overwrites the original files with the following text:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE
Anacon G0t ya! By Melhacker - The Real Hacker!
The codes to perform this malicious routine is contained in the ANADEFACE.BAT batch file created by the worm, if IIS is installed.
However, the worm was not able to perform any of the said malicious routines due to bugs in its code.
This UPX�compressed worm is written and compiled in Visual Basic and run in Windows 95, 98, ME, NT, 2000, and XP.