Symptoms

Removal instructions:

Analyzed By

Technical Description:

This mass mailer can spread through mail and also copies itself in the shared folders of some P2P programs like Kazaa. The infected e-mails look like this:

The subject may be one of the following:

(no subject)
Do you happy?
Great News! Check it out now!
Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?

The body:
Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon

Attachment: Wars.exe

Once the infected file or attachment is run, the virus does the following:

1. Copies itself in %SYSTEM% folder as one of the following files:
   
   ANACON.EXE
   BUILD.EXE
   FORCE.EXE
   SCAN.EXE
   RUNTIME.EXE
   HANGUP.EXE
   HUNGRY.EXE
   THINGS.EXE
   AGAINST.EXE
   WARS.EXE



2. Creates ANACON.BAT (216 bytes), MSWINSCK.OCX (108,336 bytes) and NACO.EXE (86,016 bytes) in the current folder, then ANACON.BAT is executed, thus registering MSWINSCK.OCX into the system and launching NACO.EXE. Next, ANACON.BAT is deleted and MSWINSCK.OCX is copied in Program Files folder.
   Then, a copy of NACO.EXE is copied in %SYSTEM% under the name SYSPOLY32.EXE and control is passed to SYSPOLY32.EXE



3. Creates the aforementioned registry keys to make sure that the virus is run on startup.



4. Searches the startup folder by following the registry key:
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup]
   
   and writes the key
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nocana]
   
   to point to one of the infected files.



5. Searches for ICQ, and attempts to retrieve the ICQ number and Display name by following the following registry key:
   
   [HKCU\Software\Mirabilis\ICQ\Owners\?????????\Name]
   
   where ????????? is the ICQ number of infected user.



6. Drops and executes COSN.REG via regedit /s and thus shares C: drive, by creating the next registry entries:
   
   [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
   [HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares\Security]
   [HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares\Security]
   
   with the entry HACKERz.



7. Attempts to send itself through Outlook (see above for details).



8. Creates the next registry entries in order to run itself on ICQ startup:
   
   [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Enable"="Yes"]
   [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Parameters"=""]
   [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Path"=
   "%SYSTEM%\SYSPOLY32.EXE"]
   [HKCU\Software\Mirabilis\ICQ\Agent\Apps\Gvjlkfbip\"Startup"=
   "C:\WINDOWS\SYSTEM\"]



9. Attempts to terminate any of the following processes:
   
   Zonealarm.exe
   Wfindv32.exe
   Webscanx.exe
   Vsstat.exe
   Vshwin32.exe
   Vsecomr.exe
   Vscan40.exe
   Vettray.exe
   Vet95.exe
   Tds2-Nt.exe
   Tds2-98.exe
   Tca.exe
   Tbscan.exe
   Sweep95.exe
   Sphinx.exe
   Smc.exe
   Serv95.exe
   Scrscan.exe
   Scanpm.exe
   Scan95.exe
   Scan32.exe
   Safeweb.exe
   Regedit.exe
   Rescue.exe
   Rav7win.exe
   Rav7.exe
   Persfw.exe
   Pcfwallicon.exe
   Pccwin98.exe
   Pavw.exe
   Pavsched.exe
   Pavcl.exe
   Padmin.exe
   Outpost.exe
   Nvc95.exe
   Nupgrade.exe
   Normist.exe
   Nmain.exe
   Nisum.exe
   Navwnt.exe
   Navw32.exe
   Navnt.exe
   Navlu32.exe
   Navapw32.exe
   N32scanw.exe
   Mpftray.exe
   Moolive.exe
   Luall.exe
   Lookout.exe
   Lockdown2000.exe
   Jedi.exe
   Iomon98.exe
   Iface.exe
   Icsuppnt.exe
   Icsupp95.exe
   Icmon.exe
   Icloadnt.exe
   Icload95.exe
   Ibmavsp.exe
   Ibmasn.exe
   Iamserv.exe
   Iamapp.exe
   Frw.exe
   Fprot.exe
   Fp-Win.exe
   Findviru.exe
   f-Stopw.exe
   f-Prot95.exe
   f-Prot.exe
   f-Agnt95.exe
   Espwatch.exe
   Esafe.exe
   Ecengine.exe
   Dvp95_0.exe
   Dvp95.exe
   Cleaner3.exe
   Cleaner.exe
   Claw95cf.exe
   Claw95.exe
   Cfinet32.exe
   Cfinet.exe
   Cfiaudit.exe
   Cfiadmin.exe
   Blackice.exe
   Blackd.exe
   Avwupd32.exe
   Avwin95.exe
   Avsched32.exe
   Avpupd.exe
   Avptc32.exe
   Avpm.exe
   Avpdos32.exe
   Avpcc.exe
   Avp32.exe
   Avp.exe
   Avnt.exe
   Avkserv.exe
   Avgctrl.exe
   Ave32.exe
   Avconsol.exe
   Autodown.exe
   Apvxdwin.exe
   Anti-Trojan.exe
   Ackwin32.exe
   _Avpm.exe
   _Avpcc.exe
   _Avp32.exe
   Norton Antivirus Auto Protect Service
   
   and delete the files by adding entries with NULL= in WININIT.INI



10. Deletes C:\SAFEWEB\ folder.



11. Attempts to remove Trojan Defence Suite by following the next registry entries:
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"TDS-2"]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\]



12. If IIS is installed, the virus drops ANADEFACE.BAT that will rename files in \Inetpub\wwwroot folders on drives C: and D:
    default.asp as ANA_Default.asp
    index.htm as ANA_Index.htm
    default.htm as ANA_Default.htm
    index.html as ANA_Index.html
    default.html as ANA_Default.html
    index.asp as ANA_Index.asp
    
    and will place inside them the following text:
    
    Melhacker Anacon Deface v2.0
    I WARN TO YOU! DON\'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
    Anacon G0t ya! By Melhacker - dA r34L #4(k3R!



13. Sends cached passwords and system information to the e-mail address
    
    chatza@phreaker.net.



14. Listens to one of the following ports:
    
    5567
    45567
    36794
    7676
    2383
    
    and waits for an attacker to issue commands.



15. Performs DDoS attacks on the IP addresses:
    
    212.150.63.115
    212.143.236.4
    62.154.244.36
    209.61.182.140
    198.65.148.153
    208.40.175.222
    161.58.232.244
    161.58.197.155
    194.90.114.5
    147.237.72.91



16. Attempts to place copies of itself in the shared folders of some peer-to-peer programs:
    
    \KMD\My Shared Folder\
    \Kazaa\My Shared Folder\
    \KaZaA Lite\My Shared Folder\
    \Morpheus\My Shared Folder\
    \Grokster\My Grokster\
    \BearShare\Shared\
    \Edonkey2000\Incoming\
    \limewire\Shared\
    
    under the following filenames:
    
    The Matrix Evolution.mpg.exe
    The Matrix Reloaded Preview.jpg.exe
    Jonny English (JE).avi.exe
    DOOM III Demo.exe
    winamp3.exe
    JugdeDread.exe
    Microsoft Visual Studio.exe
    gangXcop.exe
    Upgrade you HandPhone.exe
    About SARS Solution.doc.exe
    Dont eat pork. SARS in there.jpg.exe
    VISE.exe
    MSVisual C++.exe
    QuickInstaller.exe
    Q111023.exe
    jdbgmgr.exe
    WindowsXP PowerToys.exe
    InternationalDictionary.exe
    EAGames.exe
    SEX_HOTorCOOL.exe

Notes: The virus can download other infected files from an internet address. This is another VB virus written by Melhacker (author of Win32.Maax.B@mm). Win32.Nocan.C@mm is very similar to this mass mailer and is written by the same author.