I-Worm.Nocana (aka Naco)
Nocana is a worm virus spreading via the Internet as an e-mail file attachment via P2P file sharing networks. The worm contains a backdoor routine.
The worm itself is a Windows PE EXE file, written in Visual Basic and is related to the I-Worm.Melare email worm.
There are several worm versions known, they differ only slightly. These versions are:
"Nocana.a" : about 29K (compressed by UPX, decompressed size - about 80K)
"Nocana.b" : about 86K
"Nocana.c" : about 32K (compressed by UPX, decompressed size - about 100K)
The worm activates from infected email only when a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG name (an "extra functionality" of MS Outlook is used to accomplish this deception). As a result the infected .EXE file is displayed as a .JPG image file, but upon opening the attachment it is executed as a true EXE file. Starting with MS Outlook 97 service pack 2 such attached files are blocked (by default).
The worm then installs itself to the system, runs its spreading routine and payload.
Installation
While installing the worm copies itself to the Windows directory using the name "ANACON.EXE" and registers this file in the system registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AHU= %SystemDir%\ANACON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Hvewsveqmg = %SystemDir%\ANACON.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Cvfjx = %SystemDir%\ANACON.EXE
Other worm versions also copy themselves but using different names:
syspoly32.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe
The Nocana worm also terminates several anti-virus and active firewall processes.
Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.
Infected messages have the following attributes:
Subject:
Body:
Attachment:
"Nocana.a":
Subject:
Do you happy?
Riyadh Issue: Al-Qaeda vs FBI
Osama Bin Laden Come Back!
Al-Qaeda News: Bombing Mission Success!
Check This Out!
Re: can mali can!
Al-Qaeda Team Entertainment News
[AQTE News]
Al-Jazeera: AQTE Come back!
Hi, may I read your mind?
Acheh Issue: What Solution!
Saddam Hussein Still alive
Iraqi people don't want US Control.
Let's Iraqi people build their country.
Download New 256-Bit Encryption Software
Alert! W32.HLLW.Anacon@mm Worm Has been detected!
Register you Windows Now!
Get free update Microsoft Windows Media Player
TIPS: How to hide your IP Address!
How to Protect you PC from Hackers!
Message body:
Hi dear,
Once I was first saw you, I was fall in love! Even you are already has
special friend!
Fall In Love,
Rekcahlem ~=~ Anacon
Attachment:
anakon.jpg
"Nocana.b,c":
Subject:
Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
Message body:
Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon
Attachment:
anacon.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe
Infecting P2P
The worm copies itself to the P2P shared directories of following networks: KMD, Kazaa, Morpheus, Grokster, BearShare, Edonkey2000, Limewire.
Worm copies have the following names:
"Nocana.a":
X-Men II Trailer.mpg.exe
The Matrix Reloaded.jpg.exe
Jonny English (JE).avi.exe
EmpireEarthII.msi.exe
Setup.exe
JumpingJumping.exe
SuperMarioBrother.exe
YoungAndNotTooDangerous.exe
Nokia8250Series.exe
About SARS Solution.doc.exe
Dont eat pork.. SARS in there.jpg.exe
Mesmerize.exe
MSVisual C++.exe
Installer.exe
Q544512.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
WMovie Maker II.exe
WindowsUpdate.exe
SEX_HOT.exe
"Nocana.b,c":
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
winamp3.exe
JugdeDread.exe
Microsoft Visual Studio.exe
gangXcop.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
VISE.exe
MSVisual C++.exe
QuickInstaller.exe
Q111023.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
InternationalDictionary.exe
EAGames.exe
SEX_HOTorCOOL.exe
Backdoor Routine
Opens full access to disk files and system registry keys
sends information about infected computer
sends cached passwords
sends keyboard log
downloads and executes files from Web
changes display resolution
runs DoS attack on several servers
e.t.c.
Payload
In the directories C:\Inetpub\wwwroot\ ³ D:\Inetpub\wwwroot\ (if they exist) the worm renames the following files:
index.htm -> Anacon_Index.htm
default.htm -> Anacon_Default.htm
index.html -> Anacon_Index.html
default.html -> Anacon_Default.html
index.asp -> Anacon_Index.asp
default.asp -> Anacon_Default.asp
Nocana then overwrites the original files ("index.htm", "default.htm", ...) with the text:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER
WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE
Anacon G0t ya! By Melhacker - The Real Hacker!
On the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm randonly performs one of the following actions:
executes all files in the current directory (in most cases - Windows system
directory)
displays the message:
Anacon W0rm
The only I have to say is, I need you babe!
formats the D: drive
deletes all files in the current directory (in most cases - Windows system
directory)
On the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each
month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory
(in most cases - Windows directory).
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
270503/100904
