WORM_NACO.A

Malware type: Worm

Aliases: Email-Worm.Win32.Nocana.a (Kaspersky), W32/Naco.a@MM (McAfee), W32.Naco@mm (Symantec), Worm/Naco.D.2 (Avira), W32/Anacon-A (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm is designed to spread via email using Microsoft Outlook, popular peer-to-peer file-sharing networks, and network shares but due to bugs it fails to accomplish its intended routines.

The email that it is supposed to send out has the following characteristics:

Subject: <usually blank or any of the following>
Do you happy?
Riyadh Issue: Al-Qaeda vs FBI
Osama Bin Laden Come Back!
Al-Qaeda News: Bombing Mission Success!
Check This Out!
Re: can mali can!
Al-Qaeda Team Entertainment News
[AQTE News]
Al-Jazeera: AQTE Come back!
Hi, may I read your mind?
Acheh Issue: What Solution!
Saddam Hussein Still alive
Iraqi people don't want US Control.
Let's Iraqi people build their country.
Download New 256-Bit Encryption Software
Alert! W32.HLLW.Anacon@mm Worm Has been detected!
Register you Windows Now!
Get free update Microsoft Windows Media Player
TIPS: How to hide your IP Address!
How to Protect you PC from Hackers!

Message Body:
Hi dear,

Once I was first saw you, I was fall in love! Even you are already has special friend!

Fall In Love,
Rekcahlem ~=~ Anacon

The email attachment name varies and is usually the file name of the worm when it is run. Thus, if the file name of the worm is NACO.EXE, and it is run, then it uses NACO.EXE as its attachment name.

In addition, this worm is also designed to function as a backdoor program, and is likewise designed to terminate and delete active antivirus and firewall programs. However, the worm does not perform these malicious routines as a result of bugs in its code.

This UPXcompressed worm is written and compiled in Visual Basic and runs on Windows 95, 98, ME, NT, 2000, and XP platforms.

For additional information about this threat, see:

Description created: Jun. 22, 2003 6:22:40 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 29,184 Bytes (compressed)
96,256 Bytes (uncompressed)

Initial samples received on: May 24, 2003

Details:

This worm spreads via email, popular peer-to-peer networks and network shares. However, due to bugs in its codes, it fails to carry out its intended routines.

Installation

Upon execution, this worm drops a copy of itself as ANACON.EXE in the Windows system folder.

Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98, and ME, C:\Windows\System32 on Windows XP, and C:\WINNT\System32 on Windows NT and 2000.

Autostart Techniques

To ensure that it runs at every Windows startup, it adds the following autorun entries in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
AHU = "%System%\ANACON.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Hvewsveqmg = "%System%\ANACON.EXE"

HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Run
Cvfjx = "%System%\ANACON.EXE"

Email Propagation

Once the worm is active in memory, it propagates by utilizing MAPI (Messaging Application Programming Interface) to send email messages with itself as an attachment to all recipients found in the Microsoft Outlook address book.

The email message that it sends out has the following characteristics:

Subject: <usually blank or any of the following>
� Do you happy?
� Riyadh Issue: Al-Qaeda vs FBI
� Osama Bin Laden Come Back!
� Al-Qaeda News: Bombing Mission Success!
� Check This Out!
� Re: can mali can!
� Al-Qaeda Team Entertainment News
� [AQTE News]
� Al-Jazeera: AQTE Come back!
� Hi, may I read your mind?
� Acheh Issue: What Solution!
� Saddam Hussein Still alive
� Iraqi people don't want US Control.
� Let's Iraqi people build their country.
� Download New 256-Bit Encryption Software
� Alert! W32.HLLW.Anacon@mm Worm Has been detected!
� Register you Windows Now!
� Get free update Microsoft Windows Media Player
� TIPS: How to hide your IP Address!
� How to Protect you PC from Hackers!

Message Body:
Hi dear,

Once I was first saw you, I was fall in love! Even you are already has special friend!

Fall In Love,
Rekcahlem ~=~ Anacon

The email attachment name varies and is usually the file name of the worm when it is run. Thus, if the file name of the worm is NACO.EXE, and it is run, then it uses NACO.EXE as its attachment name.

It also usues ANAKON.JPG as its attachment file name in certain email clients and is confirmed in Outlook.

Peer-to-Peer Network Propagation

This worm also propagates by sharing copies of itself using enticing file names in various peer-to-peer, file-sharing networks. It does this by querying the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\ProgramFilesDir

It looks for the Program Files folder and performs a search in this folder for the following default shared folders of P2P applications:

  • \KMD\My Shared Folder
  • \Kazaa\My Shared Folder
  • \KaZaA Lite\My Shared Folder
  • \Morpheus\My Shared Folder
  • \Grokster\My Grokster
  • \BearShare\Shared
  • \Edonkey2000\Incoming
  • \limewire\Shared

Then, the worm copies the following files to the default shared folders listed above:

  • X-Men II Trailer.mpg.exe
  • The Matrix Reloaded.jpg.exe
  • Jonny English (JE).avi.exe
  • EmpireEarthII.msi.exe
  • Setup.exe
  • JumpingJumping.exe
  • SuperMarioBrother.exe
  • YoungAndNotTooDangerous.exe
  • Nokia8250Series.exe
  • About SARS Solution.doc.exe
  • Dont eat pork.. SARS in there.jpg.exe
  • Mesmerize.exe
  • MSVisual C%20%20.exe
  • Installer.exe
  • Q544512.exe
  • jdbgmgr.exe
  • WindowsXP PowerToys.exe
  • WMovie Maker II.exe
  • WindowsUpdate.exe
  • SEX_HOT.exe

This enables copies of the worm to be readily available for download by other file-sharing network users.

Network Propagation

The worm also shares the local drive C:\ by adding the following registry keys, each of them containing the registry value, �HACKERz�:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\lanmanserver\Shares

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanserver\Shares

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
Services\lanmanserver\Shares

After performing its malicious routines, the worm terminates and does not stay resident in memory.

Undelivered Payload

This worm is also designed to function as a backdoor and terminate and delete the following antivirus and firewall programs if found active in memory:

  • Zonealarm.exe
  • Wfindv32.exe
  • Webscanx.exe
  • Vsstat.exe
  • Vshwin32.exe
  • Vsecomr.exe
  • Vscan40.exe
  • Vettray.exe
  • Vet95.exe
  • Tds2-Nt.exe
  • Tds2-98.exe
  • Tca.exe
  • Tbscan.exe
  • Sweep95.exe
  • Sphinx.exe
  • Smc.exe
  • Serv95.exe
  • Scrscan.exe
  • Scanpm.exe
  • Scan95.exe
  • Scan32.exe
  • Safeweb.exe
  • Regedit.exe
  • Rescue.exe
  • Rav7win.exe
  • Rav7.exe
  • Persfw.exe
  • Pcfwallicon.exe
  • Pccwin98.exe
  • Pavw.exe
  • Pavsched.exe
  • Pavcl.exe
  • Padmin.exe
  • Outpost.exe
  • Nvc95.exe
  • Jedi.exe
  • Nupgrade.exe
  • Normist.exe
  • Nmain.exe
  • Nisum.exe
  • Navwnt.exe
  • Navw32.exe
  • Navnt.exe
  • Navlu32.exe
  • Navapw32.exe
  • N32scanw.exe
  • Mpftray.exe
  • Moolive.exe
  • Luall.exe
  • Lookout.exe
  • Lockdown2000.exe
  • Iomon98.exe
  • Iface.exe
  • Icsuppnt.exe
  • Icsupp95.exe
  • Icmon.exe
  • Icloadnt.exe
  • Icload95.exe
  • Ibmavsp.exe
  • Ibmasn.exe
  • Iamserv.exe
  • Iamapp.exe
  • Frw.exe
  • Fprot.exe
  • Fp-Win.exe
  • Findviru.exe
  • f-Stopw.exe
  • f-Prot95.exe
  • f-Prot.exe
  • f-Agnt95.exe
  • Espwatch.exe
  • Esafe.exe
  • Ecengine.exe
  • Dvp95_0.exe
  • Dvp95.exe
  • Cleaner3.exe
  • Cleaner.exe
  • Claw95cf.exe
  • Claw95.exe
  • Cfinet32.exe
  • Cfinet.exe
  • Cfiaudit.exe
  • Cfiadmin.exe
  • Blackice.exe
  • Blackd.exe
  • Avwupd32.exe
  • Avwin95.exe
  • Avsched32.exe
  • Avpupd.exe
  • Avptc32.exe
  • Avpm.exe
  • Avpdos32.exe
  • Avpcc.exe
  • Avp32.exe
  • Avp.exe
  • Avnt.exe
  • Avkserv.exe
  • Avgctrl.exe
  • Ave32.exe
  • Avconsol.exe
  • Autodown.exe
  • Apvxdwin.exe
  • Anti-Trojan.exe
  • Ackwin32.exe
  • _Avpm.exe
  • _Avpcc.exe
  • _Avp32.exe

Other Details

It is also designed to deface Web pages on the default \Inetpub\wwwroot\ folder of IIS installed by renaming files as follows:

  • index.htm renamed to Anacon_Index.htm
  • default.htm renamed to Anacon_Default.htm
  • index.html renamed to Anacon_Index.html
  • default.html renamed to Anacon_Default.html
  • index.asp renamed to Anacon_Index.asp
  • default.asp renamed to Anacon_Default.asp

Then, it overwrites the original files with the following text:

I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE Anacon G0t ya! By Melhacker - The Real Hacker!

The codes to perform this malicious routine is contained in the ANADEFACE.BAT batch file created by the worm, if IIS is installed.

However, the worm was not able to perform any of the said malicious routines due to bugs in its code.

This UPX�compressed worm is written and compiled in Visual Basic and run in Windows 95, 98, ME, NT, 2000, and XP.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.547.00

Pattern release date: May 24, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_NACO.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Malware Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    AHU = "%System%\ANACON.EXE"
    (%System% refers to the Windows system folder which by default is C:\Windows\System for Windows 95, 98, and ME, C:\Windows\System32 for Windows XP, and C:\Winnt\System32 for Windows NT and 2000.)
  4. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Hvewsveqmg = "%System%\ANACON.EXE"
  6. In the left panel, double-click the following:
    HKEY_USERS>.DEFAULT>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Cvfjx = "%System%\ANACON.EXE"
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>lanmanserver>\Shares
  9. In the right panel, locate and delete the entry:
    HACKERz
  10. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet001>
    Services>lanmanserver>\Shares
  11. In the right panel, locate and delete the entry:
    HACKERz
  12. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet002>
    Services>lanmanserver>\Shares
  13. In the right panel, locate and delete the entry:
    HACKERz
  14. Close Registry Editor.

Note: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_NACO.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.