Description
Win32.HLLM.Anacon is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.
The worm is written in high-level programming language Microsoft Visual Basic and is packed with UPX compression utility. The packed size of the executable module of the worm is 86, 016 bytes, unpacked – 137, 651 bytes.
To propagate the worm exploits e-mail, addresses found in Microsoft Outlook contact list, ICQ and file-sharing networks BearShare, Grokster, Edonkey2000, KaZaA, KaZaA Lite, LimeWire, and Morpheus .
The worm has a backdoor capabilities and secures access of an attacker into the victimized system.
The worm makes terminated certain anti-virus /security related programs running in the infected computer.
It considerable consumes system resources and substantially degrades system’s performance.
Launching
To secure its automatic execution at every Windows startup the worm ,modifies the following registry entries:
Nocana = \"%SysDir%\\WARS.EXE\"
AHU = \"%SysDir%\\\\SYSPOLY32.EXE\"
InterceptedSystem = \"% SysDir %\\\\SYSPOLY32.EXE\"
PowerManagement = \"% SysDir %\\\\SYSPOLY32.EXE\"
Spreading
The mail message infected with Win32.HLLM.Anacon looks as follows:
It can have either no subject or be chosen from the list inside the worm’s body:
What New in TechTV!
Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?[1]
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?
Message body:
Hello dear, I\'m gonna missed you babe, hope we can see again! In Love, Rekcahlem ~<>~ AnaconThe attachment name is chosen from the following list:
ANACON.EXE BUILD.EXE FORCE.EXE SCAN.EXE RUNTIME.EXE HANGUP.EXE HUNGRY.EXE THING.EXE AGAINST.EXE WARS.EXE
In order to propagate across propagate across file=sharing networks the worm looks for the following directories:
%ProgramFiles%\\KMD\\My Shared Folder\\ %ProgramFiles%\\Kazaa\\My Shared Folder\\ %ProgramFiles%\\KaZaA Lite\\My Shared Folder\\ %ProgramFiles%\\Morpheus\\My Shared Folder\\ %ProgramFiles%\\Grokster\\My Grokster\\ %ProgramFiles%\\BearShare\\Shared\\ %ProgramFiles%\\Edonkey2000\\Incoming\\ %ProgramFiles%\\limewire\\Shared\\to which it drops its multiple copies using the following file names:
The Matrix Evolution.mpg.EXE The Matrix Reloaded Preview.jpg.EXE Jonny English (JE).avi.EXE DOOM III Demo.EXE winamp3.EXE JugdeDread.EXE Microsoft Visual Studio.EXE gangXcop.EXE Upgrade you HandPhone.EXE About SARS Solution.doc.EXE Dont eat pork. SARS in there.jpg.EXE VISE.EXE MSVisual C++.EXE QuickInstaller.EXE Q111023.EXE jdbgmgr.EXE WindowsXP PowerToys.EXE InternationalDictionary.EXE EAGames.EXE SEX_HOTorCOOL.EXE
Action
Being executed, the worm drops to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) its copy which will have the same name the attachment of the viral message had.
When in a system the worm opens random port and waits for instruction from a remote user. Such activity lead to system compromising and allow an attacker to perform illegal actions unauthorized by a legitimate user. The worm steals different information on a system - - IP-address, user and computer names, cached addresses, browser version, operating system type, open port number, screen resolution, current system time, - and sends it to chatza@phreaker.net, presumably to its author. The open port in the target computer allows an remote intruder to update worm’s components, read or delete files.
The worm terminates certain anti-virus /security related programs running in the infected computer:
Zonealarm.exe Wfindv32.exe Webscanx.exe Vsstat.exe Vshwin32.exe Vsecomr.exe Vscan40.exe Vettray.exe Vet95.exe Tds2-Nt.exe Tds2-98.exe Tca.exe Tbscan.exe Sweep95.exe Sphinx.exe Smc.exe Serv95.exe Scrscan.exe Scanpm.exe Scan95.exe Scan32.exe Safeweb.exe Regedit.exe Rescue.exe Rav7win.exe Rav7.exe Persfw.exe Pcfwallicon.exe Pccwin98.exe Pavw.exe Pavsched.exe Pavcl.exe Padmin.exe Outpost.exe Nvc95.exe Nupgrade.exe Normist.exe Nmain.exe Nisum.exe Navwnt.exe Navw32.exe Navnt.exe Navlu32.exe Navapw32.exe N32scanw.exe Mpftray.exe Moolive.exe Luall.exe Lookout.exe Lockdown2000.exe Jedi.exe Iomon98.exe Iface.exe Icsuppnt.exe Icsupp95.exe Icmon.exe Icloadnt.exe Icload95.exe Ibmavsp.exe Ibmasn.exe Iamserv.exe Iamapp.exe Frw.exe Fprot.exe Fp-Win.exe Findviru.exe f-Stopw.exe f-Prot95.exe f-Prot.exe f-Agnt95.exe Espwatch.exe Esafe.exe Ecengine.exe Dvp95_0.exe Dvp95.exe Cleaner3.exe Cleaner.exe Claw95cf.exe Claw95.exe Cfinet32.exe Cfinet.exe Cfiaudit.exe Cfiadmin.exe Blackice.exe Blackd.exe Avwupd32.exe Avwin95.exe Avsched32.exe Avpupd.exe Avptc32.exe Avpm.exe Avpdos32.exe Avpcc.exe Avp32.exe Avp.exe Avnt.exe Avkserv.exe Avgctrl.exe Ave32.exe Avconsol.exe Autodown.exe Apvxdwin.exe Anti-Trojan.exe Ackwin32.exe _Avpm.exe _Avpcc.exe _Avp32.exeThere is a following string in the worm’s body:
I WARN TO YOU! DON\'T PLAY STUPID WITH ME! ANACON
MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker,
PakBrain, Foot-Art and AQTE Anacon G0t ya! By Melhacker