Worm - Win32 - Naco - e
1. Summary:
The worm Naco.e is 32kB long worm spreading by mass-mailing infected emails and through Peer-To-Peer (P2P) networks. This worm is destructive and deletes files at certain date. It also drops a backdoor to infected computer and makes infected computer’s disks accessible from the Internet.
Aliases:
Kaspersky: I-Worm.Nocana.e
Symantec: W32.Naco.C@mm
2. Detailed description:
When the worm Naco.e is executed for the first time, it creates the following file in the Windows system directory:
%SYSTEM%\anacon32.exe
The worm Naco.e will be registered to automatically launching after Windows start in following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ALM" = "%SYSTEM%\anacon32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20" = "%SYSTEM%\anacon32.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Services" = "%SYSTEM%\anacon32.exe"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20" = "%SYSTEM%\anacon32.exe"
%SYSTEM% meaning Windows system directory. This directory could be different on every computer (it depends on Windows installation). For example, on Microsoft Windows XP this directory should be C:\WINDOWS\SYSTEM32\. On Microsoft Windows 2000 this directory should be C:\WINNT\SYSTEM32\
The worm Naco.e immediately terminates following processes if running:
_Avp32.exe
_Avpcc.exe
_Avpm.exe
Ackwin32.exe
Anti-Trojan.exe
Avconsol.exe
Avgctrl.exe
Avp32.exe
Avpm.exe
Blackice.exe
Cleaner3.exe
Esafe.exe
Findviru.exe
Fprot.exe
Frw.exe
Iamapp.exe
Icloadnt.exe
Icmon.exe
Icsuppnt.exe
Iface.exe
Lookout.exe
Luall.exe
Navnt.exe
Navw32.exe
Normist.exe
Outpost.exe
Pavw.exe
Pccwin98.exe
Persfw.exe
Rav7.exe
Regedit.exe
Safeweb.exe
Scan32.exe
Scanpm.exe
Serv95.exe
Sweep95.exe
Tbscan.exe
Tds2-Nt.exe
Vet95.exe
Vsecomr.exe
Vshwin32.exe
Vsstat.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe
Because the worm terminates a lot of processes, only few processes was listed to get the picture. All terminated processes are related to security applications like AntiViruses, Firewalls, Computer management tools, etc.
If the infected computer is running Internet Information Services (IIS) server, the worm Naco.e deletes all files with following file extensions in the “wwwroot” subdirectory:
*.asp
*.htm
*.html
The “wwwroot” directory is root folder of a webserver running on IIS server.
Then worm Naco.e creates following files in all subdirectories of “wwwroot” directory:
default.asp
default.htm
default.html
index.asp
index.html
index.htm
These files contain message from worm author and anyone who tries to connect to this websites stored on infected webserver will get the following message:
WARNING! YOUR WEB SERVER HAS BEEN HACKED BY ANACON MELHACKER.
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
Every month in following days:
1st
4th
8th
12th
16th
20th
24th
28th
the worm Naco.e delete all files from drive C:\ and drive D:\.
When worm deleting files, he display the message box with following text:
Anacon III
I miss you babe...
W32.Anacon.D@mm
The worm Naco.e drops a backdoor at the infected computer. This backdoor is waiting for commands from worm writer or computer attacker. The backdoor has a lot of capabilities, here is listed few from them:
Denial of Service (DoS) attack to any website
hang computer
restart computer
record user keystrokes
record passwords
terminate any process
stolen sensitive information (these information is sent to virus author email address via own smtp server).
3. Spreading by emails:
The worm Naco.e is spreading by mass-mailing infected email through SMTP server.
Worm Naco.e searches for email addresses in Windows Address Book (WAB) and in the various files on the local hard drive.
The subject of infected email is one of following, and every time is randomly selected:
Alert! New Variant Anacon.D has been detected!
Crack for Nokia LogoManager 1.3
FoxNews Reporter: There are no Solution for SARS?
Free SMS Via NACO SMS!
Get Free SMTP Server at Click Here!
Get Your Free XXX Password!
Gotcha baby!
Help me plz?
Nelly Furtado!
New! Dragon Ball Fx
News: US Goverment try to make wars with Tehran.
Out of my heart?
Patch for Microsoft Windows XP 64bit
Re: are you married?(3)
Seagate Baracuda 80GB for $???
Small And Destrucive!
TechTV: New Anti Virus Software
TIPs: HOW TO DEFACE A WEBSERVER?
What New in The ScreenSaver!
Your FTP Password: iuahdf7d8hf
The email body is randomly selected from following variants:
Attention!
Please do not eat pork! The SARS virus may come from the pig. So
becareful. For more information check the attachment.
Regard, WTO
Great to see you again babe! This is file you want las week.
Please don't distribute it to other.
Regard,
V.C.
Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon
Hi babe, Still missing me! I have send to you a special gift I
made it my own. Just for you. Check it out the attachment.
Your Love,
Rekcahlem
You may not see the message because the message has been converted
to the attachment. Please open an attachment to see the message.
The name of attached file to email is one of following, and this name is randomly selected:
anacon32.exe
naco.exe
4. Spreading by Peer-to-Peer (P2P) networks:
The worm Naco.e searching on local disk drives for directories related to Peer-To-Peer (P2P) clients “Kazaa” or “Grokster” and copies the worm body with the following filenames:
About SARS Solution.doc.exe
Anacon The Great.exe
DialUp.pif
Dincracker eZine.exe
Dont Eat Pork SARS in there.exe
Downloader.exe
fxanacon.com
Generate a Random PAssword.exe
Get Lost.exe
GetMorePower.exe
Hack In 5 Minute.exe
Hacker HandBook.exe
HeavyMetal.mp3.exe
Hide Your Mount.exe
JackAndGinnie.exe
La Intrusa.exe
Lost YourPassword.txt.exe
MSWINSCK.OCX.EXE
NEW POWERTOY FOR WINXP.exe
New Variant.exe
NokiaPolyPhonic.exe
OfficeXP.exe
Oh Yeah Babe.exe
Patch - jdbgmgr.exe
Porta.exe
Replacement Killer 2.avi.exe
Ripley Believe It Or Not.exe
RosalindaAyamor
SMTP OCX.exe
Sucker.exe
The Lost Jungle.mpg.exe
The Matrix Reloaded Trailer.jpg.exe
TIPS HOW TO CRACK SYMANTEC SERVER.txt.exe
TNT.exe
Trailer DOOM III.exe
Uninstal.exe
VISE MINDVISION.exe
WhatIsGoingOn.exe
WindowsSecurity Patch.exe
WinZip9Beta.exe
5. How to clean this worm:
Manual part of disinfection is following:
Disable system restore and reboot computer to safe mode.
Delete following file from Windows System directory:
%SYSTEM%\anacon32.exe
Delete “ALM” entry in following Run registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ALM" = "%SYSTEM%\anacon32.exe"
Delete “Under20” entry in following Run registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20" = "%SYSTEM%\anacon32.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Services" = "%SYSTEM%\anacon32.exe"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20" = "%SYSTEM%\anacon32.exe"
Delete following files from “Kazaa” and “Grokster” Peer-To-Peer applications shared folder:
About SARS Solution.doc.exe
Anacon The Great.exe
DialUp.pif
Dincracker eZine.exe
Dont Eat Pork SARS in there.exe
Downloader.exe
fxanacon.com
Generate a Random PAssword.exe
Get Lost.exe
GetMorePower.exe
Hack In 5 Minute.exe
Hacker HandBook.exe
HeavyMetal.mp3.exe
Hide Your Mount.exe
JackAndGinnie.exe
La Intrusa.exe
Lost YourPassword.txt.exe
MSWINSCK.OCX.EXE
NEW POWERTOY FOR WINXP.exe
New Variant.exe
NokiaPolyPhonic.exe
OfficeXP.exe
Oh Yeah Babe.exe
Patch - jdbgmgr.exe
Porta.exe
Replacement Killer 2.avi.exe
Ripley Believe It Or Not.exe
RosalindaAyamor
SMTP OCX.exe
Sucker.exe
The Lost Jungle.mpg.exe
The Matrix Reloaded Trailer.jpg.exe
TIPS HOW TO CRACK SYMANTEC SERVER.txt.exe
TNT.exe
Trailer DOOM III.exe
Uninstal.exe
VISE MINDVISION.exe
WhatIsGoingOn.exe
WindowsSecurity Patch.exe
WinZip9Beta.exe
Reboot cleaned computer to normal mode and enable system restore.
Because this worm could create on harddisk files with various names, for sure use for computer check some good AntiVirus program. Most of antivirus companies have free online scanner that you can use.
0 writebacks [11/02/2007 03:03]
[]
permanent link
|
