Virus Database

I-Worm.Nocana.a

Description I-Worm.Nocana.a

Nocana is a worm virus spreading via the Internet as an e-mail file attachment via P2P file sharing networks. The worm contains a backdoor routine.
The worm itself is a Windows PE EXE file, written in Visual Basic and is related to the I-Worm.Melare email worm.
There are several worm versions known, they differ only slightly. These versions are:
"Nocana.a" : about 29K (compressed by UPX, decompressed size - about 80K)
"Nocana.b" : about 86K
"Nocana.c" : about 32K (compressed by UPX, decompressed size - about 100K)

The worm activates from infected email only when a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG extension(an "extra functionality" of MS Outlook is used to accomplish this deception). As a result the infected .EXE file is displayed as a .JPG image file, but upon opening the attachment it is executed as a true EXE file. Starting with MS Outlook 97 service pack 2 such attached files are blocked (by default).
The worm then installs itself to the system, runs its spreading routine and payload.
Installation
While installing the worm copies itself to the Windows directory using the name "ANACON.EXE" and registers this file in the system registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AHU= %SystemDir%ANACON.EXE

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Hvewsveqmg = %SystemDir%ANACON.EXE

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Cvfjx = %SystemDir%ANACON.EXE

Other worm versions also copy themselves but using different names:
syspoly32.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe

The Nocana worm also terminates several anti-virus and active firewall processes.
Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.
Infected messages have the following attributes:
Subject:
Body:
Attachment:

"Nocana.a":

Subject:

Do you happy?
Riyadh Issue: Al-Qaeda vs FBI
Osama Bin Laden Come Back!
Al-Qaeda News: Bombing Mission Success!
Check This Out!
Re: can mali can!
Al-Qaeda Team Entertainment News
[AQTE News]
Al-Jazeera: AQTE Come back!
Hi, may I read your mind?
Acheh Issue: What Solution!
Saddam Hussein Still alive
Iraqi people don't want US Control.
Let's Iraqi people build their country.
Download New 256-Bit Encryption Software
Alert! W32.HLLW.Anacon@mm Worm Has been detected!
Register you Windows Now!
Get free update Microsoft Windows Media Player
TIPS: How to hide your IP Address!
How to Protect you PC from Hackers!

Message body:

Hi dear,
Once I was first saw you, I was fall in love! Even you are already has special friend!
Fall In Love,
Rekcahlem ~=~ Anacon

Attachment:

anakon.jpg


"Nocana.b,c":

Subject:

Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?

Message body:

Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon

Attachment:

anacon.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe

Infecting P2P
The worm copies itself to the P2P shared directories of following networks: KMD, Kazaa, Morpheus, Grokster, BearShare, Edonkey2000, Limewire.
Worm copies have the ollowing names:
"Nocana.a":

X-Men II Trailer.mpg.exe
The Matrix Reloaded.jpg.exe
Jonny English (JE).avi.exe
EmpireEarthII.msi.exe
Setup.exe
JumpingJumping.exe
SuperMarioBrother.exe
YoungAndNotTooDangerous.exe
Nokia8250Series.exe
About SARS Solution.doc.exe
Dont eat pork.. SARS in there.jpg.exe
Mesmerize.exe
MSVisual C++.exe
Installer.exe
Q544512.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
WMovie Maker II.exe
WindowsUpdate.exe
SEX_HOT.exe

"Nocana.b,c":

The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
winamp3.exe
JugdeDread.exe
Microsoft Visual Studio.exe
gangXcop.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
VISE.exe
MSVisual C++.exe
QuickInstaller.exe
Q111023.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
InternationalDictionary.exe
EAGames.exe
SEX_HOTorCOOL.exe

Backdoor Routine

opens full access to disk files and system registry keys
sends information about infected computer
sends cached passwords
sends keyboard log
downloads and executes files from Web
changes display resolution
runs DoS attack on several servers
e.t.c.
Payload
In the directories C:Inetpubwwwroot ³ D:Inetpubwwwroot (if they exist) the worm renames the following files:
index.htm -> Anacon_Index.htm
default.htm -> Anacon_Default.htm
index.html -> Anacon_Index.html
default.html -> Anacon_Default.html
index.asp -> Anacon_Index.asp
default.asp -> Anacon_Default.asp

Nocana then overwrites the original files ("index.htm", "default.htm", all) with the text:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE
Anacon G0t ya! By Melhacker - The Real Hacker!

On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm randonly performs one of the following actions:
executes all files in the current directory (in most cases - Windows system directory)
displays the message:


Anacon W0rm
The only I have to say is, I need you babe!

formats the D: drive
deletes all files in the current directory (in most cases - Windows system directory)
On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases - Windows directory).

Check other viruses! Be aware! Use Antiviral Software

Death.1001

Description Death.1001

Death is a not dangerous non-memory resident encrypted parasitic virus. It searches for .COM files (by using the mask "*.COM") and writes itself to the end of these files. On the 10th generation it types the message "Bad command or file name" and leaves in memory a memory resident program which hooks onto INT 09h (keyboard). When the Alt-Ctrl-Del keys are pressed in combination it types the following message and hangs the computer:
Your PC has lapsed into a higher state of beingall
D E A T H
Please, feel free to cold boot,
as nothing has been damaged,
it was only a near death
experience
Your PC should meditate more often,
'cuz with all the evil viruses
flowing around neurospace
we wouldn't want this
to become a real
D E A T H
[Death] The Attitude Adjuster, VG, 12/02/92

DeathBoy.912

Description DeathBoy.912

These are dangerous memory resident encrypted parasitic viruses. They search for COM and EXE files, then they write themselves to the end of the file. While infecting they erase the part of the system memory, that may cause the system crash. "DeathBoy.912" corrupts the CMOS. The viruses contain the text strings:
"DeathBoy.640": KaLi-4 / Köhntark
"DeathBoy.893": 1994 virus=DeathBoy was here
"DeathBoy.912": [BAD MOTHER BOARD] VIRUS=DeathBoy was here

Home