W32/Anacon-B

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

You will also need to edit the following registry entries. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Nocana" = <path to the attachment copy>
"AHU" = <path to the unpacked copy>

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"InterceptedSystem" = <path to the unpacked copy>

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\mirabilis\ICQ\Agent\Apps\Cvjlkfbip
"Startup" = <path to the System folder>
"Enable" = "Yes"
"Parameters" = ""
"Path" = <path to the unpacked copy>

Delete the reference to 'Cvjlkfbip'.

Close the registry editor.

W32/Anacon-B is a mass mailing worm with a backdoor component that attempts to spread via email using Outlook address book, network shares and popular P2P networks.

The worm may arrive in an email with the the following characteristics:
Subject line: none, or randomly chosen from -
Alert! W32.Anacon.B@mm Worm Has been detected!
Crack - Download Accerelator Plus 5.3.9
Do you happy?
Do you remember me?
Download WinZip 9.0 Beta
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Great News! Check it out now!
Just for Laught!
Oh, my girl!
Re: are you married?(1)
Run for your life!
The ScreenSaver: Wireless Keyboard
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
Tired to Search Anonymous SMTP Server?
Update: Microsoft Visual Studio .Net
VBCode: Prevent Your Application From Crack
Young and Dangerous 7
Your Password: jad8aadf08

Message text: Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon

Attached file: chosen from -
AGAINST.EXE
FORCE.EXE
HANGUP.EXE
HUNGRY.EXE
RUNTIME.EXE
SCAN.EXE
WARS.EXE

The attached file is an archive that contains ANACON.BAT, MSWINSCK.OCX and NACO.EXE where NACO.EXE is a variant of the worm usually packed with a different UPX version (it may differ in size).

When executed the worm extracts, runs and deletes ANACON.BAT. ANACON.BAT copies and registers MSWINSCK.OCX to C:\Progra~1 folder, executes an extracted unpacked copy of the worm, copies itself to the Windows System folder and extracts an unpacked copy called SysAna32.exe, Anacon.exe or Syspoly32.exe.

The worm sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Nocana" = <path to the attachment copy>
"AHU" = <path to the unpacked copy>

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"InterceptedSystem" = <path to the unpacked copy>

HKCU\Software\mirabilis\ICQ\Agent\Apps\Cvjlkfbip
"Startup" = <path to the System folder>
"Enable" = "Yes"
"Parameters" = ""
"Path" = <path to the unpacked copy>

The last setting will allow the worm to launch itself on activation of the ICQ service.

To be able to share a local C: drive the worm attempts to add a new HACKERz entry to the following:

HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares
HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

To spread via P2P networks the worm attempts to copy itself into the download folders of popular filesharing programs:

\KMD\My Shared Folder\
\Kazaa\My Shared Folder\
\KaZaA Lite\My Shared Folder\
\Morpheus\My Shared Folder\
\Grokster\My Grokster\
\BearShare\Shared\
\Edonkey2000\Incoming\
\limewire\Shared\

with one of the following filenames:
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
DOOM III Demo.exe
EAGames.exe
gangXcop.exe
InternationalDictionary.exe
jdbgmgr.exe
Jonny English (JE).avi.exe
JugdeDread.exe
Microsoft Visual Studio.exe
MSVisual C++.exe
QuickInstaller.exe
SEX_HOTorCOOL.exe
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Upgrade you HandPhone.exe
VISE.exe
winamp3.exe
WindowsXP PowerToys.exe

The worm terminates a number of AV applications:
_Avp32.exe
_Avpcc.exe
_Avpm.exe
Ackwin32.exe
Anti-Trojan.exe
Apvxdwin.exe
Autodown.exe
Avconsol.exe
Ave32.exe
Avgctrl.exe
Avkserv.exe
Avnt.exe
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avptc32.exe
Avpupd.exe
Avsched32.exe
Avwin95.exe
Avwupd32.exe
Blackd.exe
Blackice.exe
Cfiadmin.exe
Cfiaudit.exe
Cfinet.exe
Cfinet32.exe
Claw95.exe
Claw95cf.exe
Cleaner.exe
Cleaner3.exe
Dvp95.exe
Dvp95_0.exe
Ecengine.exe
Esafe.exe
Espwatch.exe
f-Agnt95.exe
Findviru.exe
Fprot.exe
f-Prot.exe
f-Prot95.exe
Fp-Win.exe
Frw.exe
f-Stopw.exe
Iamapp.exe
Iamserv.exe
Ibmasn.exe
Ibmavsp.exe
Icload95.exe
Icloadnt.exe
Icmon.exe
Icsupp95.exe
Icsuppnt.exe
Iface.exe
Iomon98.exe
Jedi.exe
Lockdown2000.exe
Lookout.exe
Luall.exe
Moolive.exe
Mpftray.exe
N32scanw.exe
Navapw32.exe
Navlu32.exe
Navnt.exe
Navw32.exe
Navwnt.exe
Nisum.exe
Nmain.exe
Normist.exe
Nupgrade.exe
Nvc95.exe
Outpost.exe
Padmin.exe
Pavcl.exe
Pavsched.exe
Pavw.exe
Pccwin98.exe
Pcfwallicon.exe
Persfw.exe
Rav7.exe
Rav7win.exe
Regedit.exe
Rescue.exe
Safeweb.exe
Scan32.exe
Scan95.exe
Scanpm.exe
Scrscan.exe
Serv95.exe
Smc.exe
Sphinx.exe
Sweep95.exe
Tbscan.exe
Tca.exe
Tds2-98.exe
Tds2-Nt.exe
Vet95.exe
Vettray.exe
Vscan40.exe
Vsecomr.exe
Vshwin32.exe
Vsstat.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe