Home / malware Win32.Nocan.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Nocan.B@mm is also known as N/A.
Explanation :
This mass mailer can spread through mail and also copies itself in the shared folders of some P2P programs like Kazaa. The infected e-mails look like this:
The subject may be one of the following:
(no subject)
Do you happy?
Great News! Check it out now!
Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
The body:
Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon
Attachment: Wars.exe
Once the infected file or attachment is run, the virus does the following:
Copies itself in %SYSTEM% folder as one of the following files:
ANACON.EXE
BUILD.EXE
FORCE.EXE
SCAN.EXE
RUNTIME.EXE
HANGUP.EXE
HUNGRY.EXE
THINGS.EXE
AGAINST.EXE
WARS.EXE
Creates ANACON.BAT (216 bytes), MSWINSCK.OCX (108,336 bytes) and NACO.EXE (86,016 bytes) in the current folder, then ANACON.BAT is executed, thus registering MSWINSCK.OCX into the system and launching NACO.EXE. Next, ANACON.BAT is deleted and MSWINSCK.OCX is copied in Program Files folder.
Then, a copy of NACO.EXE is copied in %SYSTEM% under the name SYSPOLY32.EXE and control is passed to SYSPOLY32.EXE
Creates the aforementioned registry keys to make sure that the virus is run on startup.
Searches the startup folder by following the registry key:
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup]
and writes the key
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunNocana]
to point to one of the infected files.
Searches for ICQ, and attempts to retrieve the ICQ number and Display name by following the following registry key:
[HKCUSoftwareMirabilisICQOwners?????????Name]
where ????????? is the ICQ number of infected user.
Drops and executes COSN.REG via regedit /s and thus shares C: drive, by creating the next registry entries:
[HKLMSYSTEMCurrentControlSetServiceslanmanserverSharesSecurity]
[HKLMSYSTEMControlSet001ServiceslanmanserverSharesSecurity]
[HKLMSYSTEMControlSet002ServiceslanmanserverSharesSecurity]
with the entry HACKERz.
Attempts to send itself through Outlook (see above for details).
Creates the next registry entries in order to run itself on ICQ startup:
[HKCUSoftwareMirabilisICQAgentAppsGvjlkfbip"Enable"="Yes"]
[HKCUSoftwareMirabilisICQAgentAppsGvjlkfbip"Parameters"=""]
[HKCUSoftwareMirabilisICQAgentAppsGvjlkfbip"Path"=
"%SYSTEM%SYSPOLY32.EXE"]
[HKCUSoftwareMirabilisICQAgentAppsGvjlkfbip"Startup"=
"C:WINDOWSSYSTEM"]
Attempts to terminate any of the following processes:
Zonealarm.exe
Wfindv32.exe
Webscanx.exe
Vsstat.exe
Vshwin32.exe
Vsecomr.exe
Vscan40.exe
Vettray.exe
Vet95.exe
Tds2-Nt.exe
Tds2-98.exe
Tca.exe
Tbscan.exe
Sweep95.exe
Sphinx.exe
Smc.exe
Serv95.exe
Scrscan.exe
Scanpm.exe
Scan95.exe
Scan32.exe
Safeweb.exe
Regedit.exe
Rescue.exe
Rav7win.exe
Rav7.exe
Persfw.exe
Pcfwallicon.exe
Pccwin98.exe
Pavw.exe
Pavsched.exe
Pavcl.exe
Padmin.exe
Outpost.exe
Nvc95.exe
Nupgrade.exe
Normist.exe
Nmain.exe
Nisum.exe
Navwnt.exe
Navw32.exe
Navnt.exe
Navlu32.exe
Navapw32.exe
N32scanw.exe
Mpftray.exe
Moolive.exe
Luall.exe
Lookout.exe
Lockdown2000.exe
Jedi.exe
Iomon98.exe
Iface.exe
Icsuppnt.exe
Icsupp95.exe
Icmon.exe
Icloadnt.exe
Icload95.exe
Ibmavsp.exe
Ibmasn.exe
Iamserv.exe
Iamapp.exe
Frw.exe
Fprot.exe
Fp-Win.exe
Findviru.exe
f-Stopw.exe
f-Prot95.exe
f-Prot.exe
f-Agnt95.exe
Espwatch.exe
Esafe.exe
Ecengine.exe
Dvp95_0.exe
Dvp95.exe
Cleaner3.exe
Cleaner.exe
Claw95cf.exe
Claw95.exe
Cfinet32.exe
Cfinet.exe
Cfiaudit.exe
Cfiadmin.exe
Blackice.exe
Blackd.exe
Avwupd32.exe
Avwin95.exe
Avsched32.exe
Avpupd.exe
Avptc32.exe
Avpm.exe
Avpdos32.exe
Avpcc.exe
Avp32.exe
Avp.exe
Avnt.exe
Avkserv.exe
Avgctrl.exe
Ave32.exe
Avconsol.exe
Autodown.exe
Apvxdwin.exe
Anti-Trojan.exe
Ackwin32.exe
_Avpm.exe
_Avpcc.exe
_Avp32.exe
Norton Antivirus Auto Protect Service
and delete the files by adding entries with NULL= in WININIT.INI
Deletes C:SAFEWEB folder.
Attempts to remove Trojan Defence Suite by following the next registry entries:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun"TDS-2"]
[HKLMSoftwareMicrosoftWindowsCurrentVersionApp Paths]
If IIS is installed, the virus drops ANADEFACE.BAT that will rename files in Inetpubwwwroot folders on drives C: and D:
default.asp as ANA_Default.asp
index.htm as ANA_Index.htm
default.htm as ANA_Default.htm
index.html as ANA_Index.html
default.html as ANA_Default.html
index.asp as ANA_Index.asp
and will place inside them the following text:
Melhacker Anacon Deface v2.0
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain, Foot-Art and AQTE
Anacon G0t ya! By Melhacker - dA r34L #4(k3R!
Sends cached passwords and system information to the e-mail address
chatza@phreaker.net.
Listens to one of the following ports:
5567
45567
36794
7676
2383
and waits for an attacker to issue commands.
Performs DDoS attacks on the IP addresses:
212.150.63.115
212.143.236.4
62.154.244.36
209.61.182.140
198.65.148.153
208.40.175.222
161.58.232.244
161.58.197.155
194.90.114.5
147.237.72.91
Attempts to place copies of itself in the shared folders of some peer-to-peer programs:
KMDMy Shared Folder
KazaaMy Shared Folder
KaZaA LiteMy Shared Folder
MorpheusMy Shared Folder
GroksterMy Grokster
BearShareShared
Edonkey2000Incoming
limewireShared
under the following filenames:
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
winamp3.exe
JugdeDread.exe
Microsoft Visual Studio.exe
gangXcop.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
VISE.exe
MSVisual C++.exe
QuickInstaller.exe
Q111023.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
InternationalDictionary.exe
EAGames.exe
SEX_HOTorCOOL.exe
Notes: The virus can download other infected files from an internet address. This is another VB virus written by Melhacker (author of Win32.Maax.B@mm). Win32.Nocan.C@mm is very similar to this mass mailer and is written by the same author.Last update 21 November 2011
