Virus Database

Goblin.1199

Description Goblin.1199

This is a benign memory resident encrypted multipartite virus. It hooks INT 13h, 1Ch, 21h and writes itself at the end of EXE files are accessed and MBR of hard drive on execution of infected program. Depending on system date it flips the screen by hooking of INT 1Ch. By hooking INT 13h it realizes the stealth algorithm on accessing to infected MBR. This virus contains the internal text string:
GOBLIN

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Nocana.a

Description I-Worm.Nocana.a

Nocana is a worm virus spreading via the Internet as an e-mail file attachment via P2P file sharing networks. The worm contains a backdoor routine.
The worm itself is a Windows PE EXE file, written in Visual Basic and is related to the I-Worm.Melare email worm.
There are several worm versions known, they differ only slightly. These versions are:
"Nocana.a" : about 29K (compressed by UPX, decompressed size - about 80K)
"Nocana.b" : about 86K
"Nocana.c" : about 32K (compressed by UPX, decompressed size - about 100K)

The worm activates from infected email only when a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG extension(an "extra functionality" of MS Outlook is used to accomplish this deception). As a result the infected .EXE file is displayed as a .JPG image file, but upon opening the attachment it is executed as a true EXE file. Starting with MS Outlook 97 service pack 2 such attached files are blocked (by default).
The worm then installs itself to the system, runs its spreading routine and payload.
Installation
While installing the worm copies itself to the Windows directory using the name "ANACON.EXE" and registers this file in the system registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AHU= %SystemDir%ANACON.EXE

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Hvewsveqmg = %SystemDir%ANACON.EXE

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Cvfjx = %SystemDir%ANACON.EXE

Other worm versions also copy themselves but using different names:
syspoly32.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe

The Nocana worm also terminates several anti-virus and active firewall processes.
Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.
Infected messages have the following attributes:
Subject:
Body:
Attachment:

"Nocana.a":

Subject:

Do you happy?
Riyadh Issue: Al-Qaeda vs FBI
Osama Bin Laden Come Back!
Al-Qaeda News: Bombing Mission Success!
Check This Out!
Re: can mali can!
Al-Qaeda Team Entertainment News
[AQTE News]
Al-Jazeera: AQTE Come back!
Hi, may I read your mind?
Acheh Issue: What Solution!
Saddam Hussein Still alive
Iraqi people don't want US Control.
Let's Iraqi people build their country.
Download New 256-Bit Encryption Software
Alert! W32.HLLW.Anacon@mm Worm Has been detected!
Register you Windows Now!
Get free update Microsoft Windows Media Player
TIPS: How to hide your IP Address!
How to Protect you PC from Hackers!

Message body:

Hi dear,
Once I was first saw you, I was fall in love! Even you are already has special friend!
Fall In Love,
Rekcahlem ~=~ Anacon

Attachment:

anakon.jpg


"Nocana.b,c":

Subject:

Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?

Message body:

Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon

Attachment:

anacon.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe

Infecting P2P
The worm copies itself to the P2P shared directories of following networks: KMD, Kazaa, Morpheus, Grokster, BearShare, Edonkey2000, Limewire.
Worm copies have the ollowing names:
"Nocana.a":

X-Men II Trailer.mpg.exe
The Matrix Reloaded.jpg.exe
Jonny English (JE).avi.exe
EmpireEarthII.msi.exe
Setup.exe
JumpingJumping.exe
SuperMarioBrother.exe
YoungAndNotTooDangerous.exe
Nokia8250Series.exe
About SARS Solution.doc.exe
Dont eat pork.. SARS in there.jpg.exe
Mesmerize.exe
MSVisual C++.exe
Installer.exe
Q544512.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
WMovie Maker II.exe
WindowsUpdate.exe
SEX_HOT.exe

"Nocana.b,c":

The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
winamp3.exe
JugdeDread.exe
Microsoft Visual Studio.exe
gangXcop.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
VISE.exe
MSVisual C++.exe
QuickInstaller.exe
Q111023.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
InternationalDictionary.exe
EAGames.exe
SEX_HOTorCOOL.exe

Backdoor Routine

opens full access to disk files and system registry keys
sends information about infected computer
sends cached passwords
sends keyboard log
downloads and executes files from Web
changes display resolution
runs DoS attack on several servers
e.t.c.
Payload
In the directories C:Inetpubwwwroot ³ D:Inetpubwwwroot (if they exist) the worm renames the following files:
index.htm -> Anacon_Index.htm
default.htm -> Anacon_Default.htm
index.html -> Anacon_Index.html
default.html -> Anacon_Default.html
index.asp -> Anacon_Index.asp
default.asp -> Anacon_Default.asp

Nocana then overwrites the original files ("index.htm", "default.htm", all) with the text:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE
Anacon G0t ya! By Melhacker - The Real Hacker!

On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm randonly performs one of the following actions:
executes all files in the current directory (in most cases - Windows system directory)
displays the message:


Anacon W0rm
The only I have to say is, I need you babe!

formats the D: drive
deletes all files in the current directory (in most cases - Windows system directory)
On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases - Windows directory).

I-Worm.Nyxem

Description I-Worm.Nyxem

This worm spreads via the Internet as an attachment to infected messages. It also spreads via Yahoo Pager and MSN Messenger.
The worm itself is written in Visual Basic, and is a PE EXE file, 76060 bytes in size. The file is packed using UPX, and the unpacked file is approximately 130KB in size.
Infected messages
There are two types of infected message:
Type one:
Message header (chosen from the following list):
<<~SEX~>> TeenRapers.mov
Asses Mpeg's
FW: (-Sucking-)
FW: **Hot Movie**
FW: File - WebCam.mpeg
FW: Lesbian & gays Mpeg
Fw: My Funny Ass
FW:RE: Least *21* Years
FW:Re:Hot Erotic
Re: Double suck (movie)
RE: FW: Women Mpeg
Re: Why? Form Back.mpg
very hot XXX
Video Clip
Message body (chosen from the following list):
Babe sucking black Dog MPEG
funny movie
hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at meall n thanks for lettin me join!!! kisses kandee..Bye
Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!
-==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly
Watch the Paris Hilton Sex Tape for Free!
Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
Here is another Vclip of my daily group :|
All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
u Love asses? Here is a great ass open wide waitin for ur lil Cock
Bye
movie attached open by media Player 7.1
when i saw my ass i slept 3 hours why?? check my ass sorry my movie
LOOOOOOOOL joke (^!^)
Bye
Check This ?ucking Babe ;D
?ucking = Sucking=Fucking
Attachment name (chosen from the following list):
17Ag_double_suck__part[2].MPEG_.scr
April_FromTexas.MPEG_.scr
Video_briefcase_Group[13].MPEG_.scr
Julia_1997_Fucking.MPEG_.scr
juanita_in_the_kitchen.MPEG.scr
After_2AM_small_room[4].MPEG__.scr
Graham_Hilton_Sex[4].MPEG__.scr
WebCam_12girls_Ass.mpeg_.scr
Shakira_Anal_very_old.MPEG.scr
why_fuck_anal_back.MPEG.scr
open_girl_21year.MPEG.scr
Ricky_Gay_ass.MPEG______________.scr
GrahamCluley_freakin_Ass_.MPEG__.scr
Sexual_Crimes.MPEG____.scr
Second type:
Message header:
Fw: Virus Alert
Message body:
Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your friends has been infected with The W32.BlackWorm.A@mm Virus.
And you could be infected too. This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).
Notes:
Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.
--------------------------------------------------------------------------------
Sincerely
Norton AntiVirus
Attachment name:
FIX_BLACKWORM.COM
SCAN.ZIP (inside - FIX_BLACKWORM.COM)
SCAN.TGZ (inside - FIX_BLACKWORM.COM)
Installation
Once launched, the worm copies itself and its components to the Windows system directory. The name is chosen at random by the worm from the names of files which already exist. The worm then adds a space to the end of the name e.g.kodakprv. exe
Once the file has been created the wrom registers it in the system registry autorun key.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
When launching, the worm launches Windows Media Player.
Propagation
The worm uses its own library (ossmtp.dll, oswinsck.dll) to send messages via smtp.
The worm harvests email addresses from Yahoo and MSN Messenger, and also scans files with the extensions .htm and .dbx to harvest addresses.
Other
The worm attempts to prevent antivirus programs from launching. It deletes the following registry keys:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
PccPfw
PCCIOMON.exe
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
Taskmon
KasperskyAv
system.
msgsvr32
Windows Services Host
Explorer
Sentry
ssate.exe
winupd.exe
au.exe
OLE
The worm attempts to conduct a DoS attack on www.nymex.com

Home