W32/Anacon-C

Category: Viruses and SpywareProtection available since:03 Jun 2003 00:00:00 (GMT)
Type: Win32 wormLast Updated:03 Jun 2003 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Anacon-C is an internet worm with a backdoor component that attempts to spread via email, network shares and popular P2P networks.

The email that carries the worm as the attached file anacon.exe has the following characteristics:

Subject line: absent, or randomly chosen from the following list:

"Out of my heart?"
"Nelly Furtado!"
"New! Dragon Ball Fx"
"TIPs: HOW TO DEFACE A WEBSERVER?"
"What New in The ScreenSaver!"
"FoxNews Reporter: There are no Solution for SARS?"
"Get Your Free XXX Password!"
"Gotcha baby!"
"Crack for Nokia LogoManager 1.3"
"Help me plz?"
"GetShortPathNameA"
"[PGDN]"
"TechTV: New Anti Virus Software"
"News: US Goverment try to make wars with Tehran."
"Re: are you married?(3)"
"Seagate Baracuda 80GB for $???"
"Small And Destrucive!"
"Alert! New Variant Anacon.D has been detected!"
"command /k "
"Free SMS Via NACO SMS!"
"Patch for Microsoft Windows XP 64bit"
"Your FTP Password: iuahdf7d8hf"
"Get Free SMTP Server at Click Here!"

Message text: randomly choosen from the following:

"Hello dear, I'm gonna missed you babe, hope we can see again! In Love, Rekcahlem ~<>~ Anacon"

"Attention! Please do not eat pork! The SARS virus may come from the pig. So becareful. For more information check the attachment. Regard, WTO"

" (blank) You may not see the message because the message has been convert to the attachment. Please open an attachment to see the message."

"Hi babe, Still missing me! I have send to you a special gift I made it my own. Just for you. Check it out the attachment. Your Love, Rekcahlem"

"Great to see you again babe! This is file you want las week. Please don't distribute it to other. Regard, V.C."

To spread via P2P networks W32/Anacon-C attempts to copy itself into the download folders of popular filesharing programs with one of the following filenames:

The Lost Jungle.mpg.exe
The Matrix Reloaded Trailer.jpg.exe
Replacement Killer 2.avi.exe
Trailer DOOM III.exe
WinZip9Beta.exe
WhatIsGoingOn.exe
NokiaPolyPhonic.exe
TNT.exe
Dont Eat Pork SARS in there.exe
About SARS Solution.doc.exe
TIPS HOW TO CRACK SYMANTEC SERVER.txt.exe
VISE MINDVISION.exe
Uninstal.exe
WindowsSecurity Patch.exe
Hide Your Mount.exe
Patch - jdbgmgr.exe
NEW POWERTOY FOR WINXP.exe
Generate a Random PAssword.exe
OfficeXP.exe
Ripley Believe It Or Not.exe
Anacon The Great.exe
New Variant.exe
SMTP OCX.exe
DialUp.pif
Lost YourPassword.txt.exe
Hack In 5 Minute.exe
Get Lost.exe
Oh Yeah Babe.exe
Sucker.exe
MSWINSCK.OCX.EXE
Downloader.exe
HeavyMetal.mp3.exe
JackAndGinnie.exe
RosalindaAyamor fxanacon.com
GetMorePower.exe
Hacker HandBook.exe
Dincracker eZine.exe
La Intrusa.exe
Porta.exe

W32/Anacon-C has a backdoor component that allows a malicious user remote access to the computer when the worm is active. It also allows a malicious user to steal passwords.

W32/Anacon-C attempts to send a notification email containing system informations to a remote address. It also terminates various anti-virus and security related processes and deletes all files from the corresponding program folders.

In order to be executed automatically when Windows starts up W32/Anacon-C copies itself to the file <Windows system>\anacon32.exe and creates the following registry entries pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ALM
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Under20

The worm also sets or modifies the following ICQ registry entries

HKCU\Software\Mirabilis\ICQ\Agent\Apps\Administrator\Enable
HKCU\Software\Mirabilis\ICQ\Agent\Apps\Administrator\Parameters
HKCU\Software\Mirabilis\ICQ\Agent\Apps\Administrator\Path
HKCU\Software\Mirabilis\ICQ\Agent\Apps\Administrator\Startup

On the first day of every month and on every subsequent day which is a multiple of 4, W32/Anacon-C displays a message box with the title "Anacon III" and the text "I miss you babe ..." and attempts to download a file from a remote web address and save it into the startup folder so that it is executed automatically when Windows starts up.

W32/Anacon-C also attempts to modify the registry settings of an existing Mirabilis ICQ installation and replace the file index.htm, index.html or index.asp in the folder \inetpub\wwwroot.

W32/Anacon-C may also try to create the registry entry

HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares\Hackerz