Win32.HLLM.Anacon

Description

Win32.HLLM.Anacon is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.

The worm is written in high-level programming language Microsoft Visual Basic and is packed with UPX compression utility. The packed size of the executable module of the worm is 86, 016 bytes, unpacked – 137, 651 bytes.

To propagate the worm exploits e-mail, addresses found in Microsoft Outlook contact list, ICQ and file-sharing networks BearShare, Grokster, Edonkey2000, KaZaA, KaZaA Lite, LimeWire, and Morpheus .

The worm has a backdoor capabilities and secures access of an attacker into the victimized system.

The worm makes terminated certain anti-virus /security related programs running in the infected computer.

It considerable consumes system resources and substantially degrades system’s performance.

Launching

To secure its automatic execution at every Windows startup the worm ,modifies the following registry entries:

• HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run
  Nocana = \"%SysDir%\\WARS.EXE\"
• HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run
  AHU = \"%SysDir%\\\\SYSPOLY32.EXE\"
• HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ CurrentVersion\\RunServices
  InterceptedSystem = \"% SysDir %\\\\SYSPOLY32.EXE\"
• HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run
  PowerManagement = \"% SysDir %\\\\SYSPOLY32.EXE\"

Spreading

The mail message infected with Win32.HLLM.Anacon looks as follows:

It can have either no subject or be chosen from the list inside the worm’s body:

 What New in TechTV!
 Do you happy?
 Great News! Check it out now!
 Just for Laught!
 TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
 FoxNews Reporter: Hello! SARS Issue!
 Get Free XXX Web Porn!
 Oh, my girl!
 Crack - Download Accerelator Plus 5.3.9
 Do you remember me?
 The ScreenSaver: Wireless Keyboard
 VBCode: Prevent Your Application From Crack
 Re: are you married?[1]
 Download WinZip 9.0 Beta
 Young and Dangerous 7
 Alert! W32.Anacon.B@mm Worm has been detected!
 Run for your life!
 Update: Microsoft Visual Studio .Net
 Your Password: jad8aadf08
 Tired to Search Anonymous SMTP Server?
 

 Hello dear,
 
 I\'m gonna missed you babe, hope we can see again!
 
 In Love,
 Rekcahlem ~<>~ Anacon
 

 ANACON.EXE 
 BUILD.EXE 
 FORCE.EXE 
 SCAN.EXE 
 RUNTIME.EXE 
 HANGUP.EXE 
 HUNGRY.EXE 
 THING.EXE 
 AGAINST.EXE 
 WARS.EXE
 

In order to propagate across propagate across file=sharing networks the worm looks for the following directories:

  %ProgramFiles%\\KMD\\My Shared Folder\\ 
   %ProgramFiles%\\Kazaa\\My Shared Folder\\ 
   %ProgramFiles%\\KaZaA Lite\\My Shared Folder\\ 
   %ProgramFiles%\\Morpheus\\My Shared Folder\\ 
   %ProgramFiles%\\Grokster\\My Grokster\\ 
   %ProgramFiles%\\BearShare\\Shared\\ 
   %ProgramFiles%\\Edonkey2000\\Incoming\\ 
   %ProgramFiles%\\limewire\\Shared\\
 

 
 The Matrix Evolution.mpg.EXE 
 The Matrix Reloaded Preview.jpg.EXE 
 Jonny English (JE).avi.EXE 
 DOOM III Demo.EXE 
 winamp3.EXE 
 JugdeDread.EXE 
 Microsoft Visual Studio.EXE 
 gangXcop.EXE 
 Upgrade you HandPhone.EXE 
 About SARS Solution.doc.EXE 
 Dont eat pork. SARS in there.jpg.EXE 
 VISE.EXE 
 MSVisual C++.EXE 
 QuickInstaller.EXE 
 Q111023.EXE 
 jdbgmgr.EXE 
 WindowsXP PowerToys.EXE 
 InternationalDictionary.EXE 
 EAGames.EXE 
 SEX_HOTorCOOL.EXE 
 
 

Action

Being executed, the worm drops to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32) its copy which will have the same name the attachment of the viral message had.

When in a system the worm opens random port and waits for instruction from a remote user. Such activity lead to system compromising and allow an attacker to perform illegal actions unauthorized by a legitimate user. The worm steals different information on a system - - IP-address, user and computer names, cached addresses, browser version, operating system type, open port number, screen resolution, current system time, - and sends it to chatza@phreaker.net, presumably to its author. The open port in the target computer allows an remote intruder to update worm’s components, read or delete files.

The worm terminates certain anti-virus /security related programs running in the infected computer:

 Zonealarm.exe 
 Wfindv32.exe 
 Webscanx.exe 
 Vsstat.exe 
 Vshwin32.exe 
 Vsecomr.exe 
 Vscan40.exe 
 Vettray.exe 
 Vet95.exe 
 Tds2-Nt.exe 
 Tds2-98.exe 
 Tca.exe 
 Tbscan.exe 
 Sweep95.exe 
 Sphinx.exe 
 Smc.exe 
 Serv95.exe 
 Scrscan.exe 
 Scanpm.exe 
 Scan95.exe 
 Scan32.exe 
 Safeweb.exe 
 Regedit.exe 
 Rescue.exe 
 Rav7win.exe 
 Rav7.exe 
 Persfw.exe 
 Pcfwallicon.exe 
 Pccwin98.exe 
 Pavw.exe 
 Pavsched.exe 
 Pavcl.exe 
 Padmin.exe 
 Outpost.exe 
 Nvc95.exe 
 Nupgrade.exe 
 Normist.exe 
 Nmain.exe 
 Nisum.exe 
 Navwnt.exe 
 Navw32.exe 
 Navnt.exe 
 Navlu32.exe 
 Navapw32.exe 
 N32scanw.exe 
 Mpftray.exe 
 Moolive.exe 
 Luall.exe 
 Lookout.exe 
 Lockdown2000.exe 
 Jedi.exe 
 Iomon98.exe 
 Iface.exe 
 Icsuppnt.exe 
 Icsupp95.exe 
 Icmon.exe 
 Icloadnt.exe 
 Icload95.exe 
 Ibmavsp.exe 
 Ibmasn.exe 
 Iamserv.exe 
 Iamapp.exe 
 Frw.exe 
 Fprot.exe 
 Fp-Win.exe 
 Findviru.exe 
 f-Stopw.exe 
 f-Prot95.exe 
 f-Prot.exe 
 f-Agnt95.exe 
 Espwatch.exe 
 Esafe.exe 
 Ecengine.exe 
 Dvp95_0.exe 
 Dvp95.exe 
 Cleaner3.exe 
 Cleaner.exe 
 Claw95cf.exe 
 Claw95.exe 
 Cfinet32.exe 
 Cfinet.exe 
 Cfiaudit.exe 
 Cfiadmin.exe 
 Blackice.exe 
 Blackd.exe 
 Avwupd32.exe 
 Avwin95.exe 
 Avsched32.exe 
 Avpupd.exe 
 Avptc32.exe 
 Avpm.exe 
 Avpdos32.exe 
 Avpcc.exe 
 Avp32.exe 
 Avp.exe 
 Avnt.exe 
 Avkserv.exe 
 Avgctrl.exe 
 Ave32.exe 
 Avconsol.exe 
 Autodown.exe 
 Apvxdwin.exe 
 Anti-Trojan.exe 
 Ackwin32.exe 
 _Avpm.exe 
 _Avpcc.exe 
 _Avp32.exe
 

 I WARN TO YOU! DON\'T PLAY STUPID WITH ME! ANACON 
MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, 
PakBrain, Foot-Art and AQTE Anacon G0t ya! By Melhacker