W32/Anacon-D attempts to spread using email and may also infect executable files in the Windows System folder.
The virus arrives in an email with the following characteristics:
Subject line: Randomly chosen from -
Alert! New Variant W32/Naco.F@mm has been detected!
British Air Will Backcrupt
Crack for Nokie LogoManager 1.3
FoxNews Reporter: What
Free SMS Via NACO SMS!
Get Free SMTP Server at Click Here!
Get Your Free XXX Password!
Gotcha baby!
Help me plz!
Less And More
Microsoft Windows LongHorn XP
News: US Govermenvt try to make wars with Teheran.
Patch for Microsoft Windows XP 64bit
Re: are you married?(3)
Seagate Baracuda 80GB for $???
Small And Destructive!
TIPs: CODE FOR CRACKING EB SERVER
You r a chichy boy, you r a chicky girl
Your XXX Password: ud78sd8df
Message text: Randomly chosen from -
"Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon"
"Attention!
Please do not eat pork! The SARS virus may come from the pig. So becareful.
For more information check the attachment.
Regard, WTO"
"
(blank)
You may not see the message because the message has been convert to the
attachment. Please open an attachment to see the message."
"Hi babe, Still missing me! I have send to you a special gift I made it my own. Just for you. Check it out the attachment.
Your Love,
Rekcahlem"
"Great to see you again babe! This is file you want las week. Please don't
distribute it to other.
Regard,
V.C."
Attached file: csrss32.exe
When run, the virus displays the message
".: Anacon 6 Worm :.
THanX f0r SupPoRted:
Dincracker, Foot-Art, PakBrain, Fady911x, Anacon, Axam, Sh4m_Skru, AjeedNASA,
Incisibleman, Zied666 and all my frenz...".
W32/Anacon-D copies itself to the system folder as csrss32.exe and creates the following registry entries so that the virus is run on Windows startup:
\HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ALM
\HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Services
The virus will also copy itself into the Startup folder with randomly
generated names.
W32/Anacon-D has a backdoor component that allows a malicious user remote access to the computer when the virus is active. The virus attempts to send a notification email containing system information to a remote email address.
As a backdoor the virus inititates a port connection providing unauthorized access to the infected computer which allows an intruder to manipulate with the CDAudio door, CD-ROM, Clipboard, play media, drop a keylogger and download a file.
The virus may also attempt to terminate the following anti-virus programs and security related processes and delete all files from the corresponding program folders:
_Avp32.exe
_Avpcc.exe
_Avpm.exe
Ackwin32.exe
Anti-Trojan.exe
Apvxdwin.exe
Autodown.exe
Ave32.exe
Avgctrl.exe
Avkserv.exe
Avnt.exe
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avptc32.exe
Avpupd.exe
Avsched32.exe
Avwin95.exe
Avwupd32.exe
Blackd.exe
Blackice.exe
Cfiadmin.exe
Cfiaudit.exe
Cfinet.exe
Cfinet32.exe
Claw95.exe
Claw95cf.exe
Cleaner.exe
Cleaner3.exe
Dvp95.exe
Dvp95_0.exe
Ecengine.exe
Esafe.exe
Espwatch.exe
f-Agnt95.exe
Findviru.exe
Fprot.exe
f-Prot.exe
f-Prot95.exe
Fp-Win.exe
Frw.exe
f-Stopw.exe
Iamapp.exe
Iamserv.exe
Ibmasn.exe
Ibmavsp.exe
Icload95.exe
Icloadnt.exe
Icmon.exe
Icsupp95.exe
Icsuppnt.exe
Iface.exe
Iomon98.exe
Jedi.exe
Lookout.exe
Luall.exe
Moolive.exe
Mpftray.exe
N32scanw.exe
Navapw32.exe
Navlu32.exe
Navnt.exe
Navw32.exe
Navwnt.exe
Nisum.exe
Nmain.exe
Normist.exe
Nupgrade.exe
Nvc95.exe
Outpost.exe
Padmin.exe
Pavcl.exe
Pavsched.exe
Pavw.exe
Pccwin98.exe
Pcfwallicon.exe
Persfw.exe
Rav7win.exe
Regedit.exe
Rescue.exe
Safeweb.exe
Scan32.exe
Scan95.exe
Scanpm.exe
Scrscan.exe
Serv95.exe
Smc.exe
Sphinx.exe
Sweep95.exe
Tbscan.exe
Tca.exe
Tds2-98.exe
Vet95.exe
Vettray.exe
Vscan40.exe
Vsecomr.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe