My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Nocan.B@mm

MEDIUM
HIGH
86,016 bytes (137,651 bytes dropper)
(N/A)

Symptoms

Presence of the following file in %SYSTEM% folder (86,016 bytes):
SYSPOLY32.EXE
SYSANA32.EXE

Presence of the following file in Program Files folder (108,336 bytes):
MSWINSCK.OCX

Presence of any of the following files in %SYSTEM% folder (137,651 bytes each):
ANACON.EXE
BUILD.EXE
FORCE.EXE
SCAN.EXE
RUNTIME.EXE
HANGUP.EXE
HUNGRY.EXE
THINGS.EXE
AGAINST.EXE
WARS.EXE

Presence of the next registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Nocana"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"PowerManagement"]

pointing to one of the files above files (usually WARS.EXE)

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Nocana"="%SYSTEM%\wars.exe"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AHU"="%SYSTEM%\SYSPOLY32.EXE"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ "InterceptedSystem"="%SYSTEM%\SYSPOLY32.EXE"]

where %SYSTEM% points to Windows\System folder.

Removal instructions:

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following keys:

      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Nocana"]
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"PowerManagement"]
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AHU"]
      [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ "InterceptedSystem"]

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Nocan.B@mm.

Analyzed By

Patrick Vicol BitDefender Virus Researcher

Technical Description:

This mass mailer can spread through mail and also copies itself in the shared folders of some P2P programs like Kazaa. The infected e-mails look like this:

The subject may be one of the following:

(no subject)
Do you happy?
Great News! Check it out now!
Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?

The body:
Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon


Attachment: Wars.exe

Once the infected file or attachment is run, the virus does the following:

  1. Copies itself in %SYSTEM% folder as one of the following files:

    ANACON.EXE
    BUILD.EXE
    FORCE.EXE
    SCAN.EXE
    RUNTIME.EXE
    HANGUP.EXE
    HUNGRY.EXE
    THINGS.EXE
    AGAINST.EXE
    WARS.EXE


  2. Creates ANACON.BAT (216 bytes), MSWINSCK.OCX (108,336 bytes) and NACO.EXE (86,016 bytes) in the current folder, then ANACON.BAT is executed, thus registering MSWINSCK.OCX into the system and launching NACO.EXE. Next, ANACON.BAT is deleted and MSWINSCK.OCX is copied in Program Files folder.
    Then, a copy of NACO.EXE is copied in %SYSTEM% under the name SYSPOLY32.EXE and control is passed to SYSPOLY32.EXE


  3. Creates the aforementioned registry keys to make sure that the virus is run on startup.


  4. Searches the startup folder by following the registry key:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup]

    and writes the key

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nocana]

    to point to one of the infected files.


  5. Searches for ICQ, and attempts to retrieve the ICQ number and Display name by following the following registry key:

    [HKCU\Software\Mirabilis\ICQ\Owners\?????????\Name]

    where ????????? is the ICQ number of infected user.


  6. Drops and executes COSN.REG via regedit /s and thus shares C: drive, by creating the next registry entries:

    [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
    [HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares\Security]
    [HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares\Security]

    with the entry HACKERz.


  7. Attempts to send itself through Outlook (see above for details).


  8. Creates the next registry entries in order to run itself on ICQ startup:

    [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Enable"="Yes"]
    [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Parameters"=""]
    [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Path"=
    "%SYSTEM%\SYSPOLY32.EXE"]

    [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Startup"=
    "C:\WINDOWS\SYSTEM\"]


  9. Attempts to terminate any of the following processes:

    Zonealarm.exe
    Wfindv32.exe
    Webscanx.exe
    Vsstat.exe
    Vshwin32.exe
    Vsecomr.exe
    Vscan40.exe
    Vettray.exe
    Vet95.exe
    Tds2-Nt.exe
    Tds2-98.exe
    Tca.exe
    Tbscan.exe
    Sweep95.exe
    Sphinx.exe
    Smc.exe
    Serv95.exe
    Scrscan.exe
    Scanpm.exe
    Scan95.exe
    Scan32.exe
    Safeweb.exe
    Regedit.exe
    Rescue.exe
    Rav7win.exe
    Rav7.exe
    Persfw.exe
    Pcfwallicon.exe
    Pccwin98.exe
    Pavw.exe
    Pavsched.exe
    Pavcl.exe
    Padmin.exe
    Outpost.exe
    Nvc95.exe
    Nupgrade.exe
    Normist.exe
    Nmain.exe
    Nisum.exe
    Navwnt.exe
    Navw32.exe
    Navnt.exe
    Navlu32.exe
    Navapw32.exe
    N32scanw.exe
    Mpftray.exe
    Moolive.exe
    Luall.exe
    Lookout.exe
    Lockdown2000.exe
    Jedi.exe
    Iomon98.exe
    Iface.exe
    Icsuppnt.exe
    Icsupp95.exe
    Icmon.exe
    Icloadnt.exe
    Icload95.exe
    Ibmavsp.exe
    Ibmasn.exe
    Iamserv.exe
    Iamapp.exe
    Frw.exe
    Fprot.exe
    Fp-Win.exe
    Findviru.exe
    f-Stopw.exe
    f-Prot95.exe
    f-Prot.exe
    f-Agnt95.exe
    Espwatch.exe
    Esafe.exe
    Ecengine.exe
    Dvp95_0.exe
    Dvp95.exe
    Cleaner3.exe
    Cleaner.exe
    Claw95cf.exe
    Claw95.exe
    Cfinet32.exe
    Cfinet.exe
    Cfiaudit.exe
    Cfiadmin.exe
    Blackice.exe
    Blackd.exe
    Avwupd32.exe
    Avwin95.exe
    Avsched32.exe
    Avpupd.exe
    Avptc32.exe
    Avpm.exe
    Avpdos32.exe
    Avpcc.exe
    Avp32.exe
    Avp.exe
    Avnt.exe
    Avkserv.exe
    Avgctrl.exe
    Ave32.exe
    Avconsol.exe
    Autodown.exe
    Apvxdwin.exe
    Anti-Trojan.exe
    Ackwin32.exe
    _Avpm.exe
    _Avpcc.exe
    _Avp32.exe
    Norton Antivirus Auto Protect Service

    and delete the files by adding entries with NULL= in WININIT.INI


  10. Deletes C:\SAFEWEB\ folder.


  11. Attempts to remove Trojan Defence Suite by following the next registry entries:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"TDS-2"]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\]


  12. If IIS is installed, the virus drops ANADEFACE.BAT that will rename files in \Inetpub\wwwroot folders on drives C: and D:
    default.asp as ANA_Default.asp
    index.htm as ANA_Index.htm
    default.htm as ANA_Default.htm
    index.html as ANA_Index.html
    default.html as ANA_Default.html
    index.asp as ANA_Index.asp

    and will place inside them the following text:

    Melhacker Anacon Deface v2.0
    I WARN TO YOU! DON\'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
    Anacon G0t ya! By Melhacker - dA r34L #4(k3R!


  13. Sends cached passwords and system information to the e-mail address

    chatza@phreaker.net.


  14. Listens to one of the following ports:

    5567
    45567
    36794
    7676
    2383

    and waits for an attacker to issue commands.


  15. Performs DDoS attacks on the IP addresses:

    212.150.63.115
    212.143.236.4
    62.154.244.36
    209.61.182.140
    198.65.148.153
    208.40.175.222
    161.58.232.244
    161.58.197.155
    194.90.114.5
    147.237.72.91


  16. Attempts to place copies of itself in the shared folders of some peer-to-peer programs:

    \KMD\My Shared Folder\
    \Kazaa\My Shared Folder\
    \KaZaA Lite\My Shared Folder\
    \Morpheus\My Shared Folder\
    \Grokster\My Grokster\
    \BearShare\Shared\
    \Edonkey2000\Incoming\
    \limewire\Shared\

    under the following filenames:

    The Matrix Evolution.mpg.exe
    The Matrix Reloaded Preview.jpg.exe
    Jonny English (JE).avi.exe
    DOOM III Demo.exe
    winamp3.exe
    JugdeDread.exe
    Microsoft Visual Studio.exe
    gangXcop.exe
    Upgrade you HandPhone.exe
    About SARS Solution.doc.exe
    Dont eat pork. SARS in there.jpg.exe
    VISE.exe
    MSVisual C++.exe
    QuickInstaller.exe
    Q111023.exe
    jdbgmgr.exe
    WindowsXP PowerToys.exe
    InternationalDictionary.exe
    EAGames.exe
    SEX_HOTorCOOL.exe

Notes: The virus can download other infected files from an internet address. This is another VB virus written by Melhacker (author of Win32.Maax.B@mm). Win32.Nocan.C@mm is very similar to this mass mailer and is written by the same author.