1. Symantec/
  2. Security Response/
  3. W32.Naco.D@mm


Risk Level 2: Low

June 12, 2003
February 13, 2007 12:02:35 PM
Also Known As:
W32/Anacon-D [Sophos], I-Worm.Nocana.f [KAV], W32/Naco.f@MM [McAfee], W32/Naco.F@mm [Frisk], PE_NACO.F [Trend], Win32.Naco.E [CA]
Systems Affected:
Microsoft IIS, Windows

W32.Naco.D@mm is a variant of W32.Naco@mm. W32.Naco.D@mm is a mass-mailing worm that attempts to spread itself by email and file-sharing networks. The worm also contains a Backdoor functionality and attempts to replace HTML files on the Microsoft IIS server.

This variant, unlike previous variants, can also infect files. The code for W32.Naco.D@mm is buggy, and therefore, may infect the same files multiple times.

W32.Naco.D@mm is written in the Microsoft Visual Basic (VB) programming language and has been compiled to P-Code. Thus, The VB run-time libraries are required to execute W32.Naco.D@mm.

The worm has been packed and obfuscated using a known run-time compression utility, which appears to be an attempt to make it more difficult to analyze the threat.

When W32.Naco.D@mm is executed, it will attempt to display two messages with the titles:
  • Anacon 6 WOrm
  • Anacon 6

Antivirus Protection Dates

  • Initial Rapid Release version June 12, 2003
  • Latest Rapid Release version March 3, 2008 revision 035
  • Initial Daily Certified version June 12, 2003
  • Latest Daily Certified version March 3, 2008 revision 037
  • Initial Weekly Certified release date June 18, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Neal Hindocha

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube