[email protected]

Aliases: W32/[email protected], W32/Anacon-A, Win32/[email protected], WORM_NACO.A, Worm/Naco.D.2 
Variants: Email-Worm.Win32.Nocana.a, I-Worm.Nocana.a, Win32.HLLM.Generic.201

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 19 May 2003
Damage: Medium

Characteristics: This mass mailing worm is packed using the UPX runtime compression utility. Aside from being a mass mailing worm, the [email protected] worm also has the capability to execute as backdoor Trojan. It can swap HTML files on IIS (Internet Information Server) servers of Microsoft as well. This worm however contains plenty of bugs and may not function as its author planned.

More details about [email protected]

When the [email protected] is launched in the compromised machine, it will try to create a copy of itself as an .exe file. The worm will also create several registry keys that will cause it to run every time that Windows starts. It will likewise add some keys so that the drive C:\ may be shared. In addition it will also alter the shares’ security keys to enable sharing and access to them. All the added registry keys will be added by the worm by making a TEMP file in the .reg file extension and then launching a command. Afterwards, the .reg file is deleted. The malware then tries to end processes belonging to security applications. The worm will check all active processes against its predetermined list and in the even that it matches a filename on the worm’s list, it will be ended. The worm will likewise try to delete the file responsible for the terminated process.

The [email protected] worm will then email all the addresses it has found the address book of Outlook. The infected email will have random subjects and messages and their attachments will contain the worm’s code. This security threat will also create copies of code in the folder whatever peer to peer application is installed in the affected computer. In the event that the worm detects an installation of the Microsoft IIS, it will try to create a batch file. This malware also has functionality to retrieve a specific file from a predetermined site and to communicate with its remote author via ICQ.