Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- June 12, 2003
- Updated:
- February 13, 2007 12:02:35 PM
- Also Known As:
- W32/Anacon-D [Sophos], I-Worm.Nocana.f [KAV], W32/Naco.f@MM [McAfee], W32/Naco.F@mm [Frisk], PE_NACO.F [Trend], Win32.Naco.E [CA]
- Type:
- Worm
- Systems Affected:
- Microsoft IIS, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Naco.D@mm is a variant of W32.Naco@mm. W32.Naco.D@mm is a mass-mailing worm that attempts to spread itself by email and file-sharing networks. The worm also contains a Backdoor functionality and attempts to replace HTML files on the Microsoft IIS server.
This variant, unlike previous variants, can also infect files. The code for W32.Naco.D@mm is buggy, and therefore, may infect the same files multiple times.
W32.Naco.D@mm is written in the Microsoft Visual Basic (VB) programming language and has been compiled to P-Code. Thus, The VB run-time libraries are required to execute W32.Naco.D@mm.
The worm has been packed and obfuscated using a known run-time compression utility, which appears to be an attempt to make it more difficult to analyze the threat.
When W32.Naco.D@mm is executed, it will attempt to display two messages with the titles:
- Anacon 6 WOrm
- Anacon 6
Antivirus Protection Dates
- Initial Rapid Release version June 12, 2003
- Latest Rapid Release version March 3, 2008 revision 035
- Initial Daily Certified version June 12, 2003
- Latest Daily Certified version March 3, 2008 revision 037
- Initial Weekly Certified release date June 18, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Moderate
Damage
- Damage Level: High
Distribution
- Distribution Level: High
Writeup By: Neal Hindocha
