FRISK Software International

Summary of W32/Naco.F@mm
Alias:Worm.Nocana.F, W32.Naco.D@mm, Anacon, Nocana, Naco, Naco.F
Discovered: 12 Jun 2003
Definition files: 12 Jun 2003
Risk Level: Low
Infection Method:Infected e-mail attachments and peer-to-peer networks
Jump to:
Brief description
Technical description

Brief Description
Naco.F worm was found on 12 June 2003. It can spread via email and peer-to-peer networks. It also tries to steal or delete user's data. Additionally the worm has backdoor capabilities. The worm arrives in emails which subject, body text and attachment name vary.

Technical Description

This worm's variant is close to the previous one - Naco.E but it has much more bugs that can render an infected system inoperable shortly after infection. Out test workstation and Exchange server were jammed by a huge number of e-mails that the worm sent. Also on a test workstation there appeared numerous Registry Editor's import failure messageboxes.

W32/Naco.F@mm is different to the previous variant in several ways:

  1. The worm drops itself to Windows System directory as CSRSS32.EXE file. There can be more than one copy of the worm in memory.

  2. The worm's file is compressed with TELOCK file compressor. The compressed file's size is 45568 bytes.

  3. Most of the worm's text strings are encrypted with a simple cryptoalgorithm. The worm dynamically decrypts its strings when it uses them.

  4. The worm displays a different messageboxes:
    You are the most pretty girl I ever saw!
    Anacon 6 W0rm
    THanX f0r SupPoRted:
    Dincracker, Foot-Art, PakBrain, Fady911x, Anacon, Axam, Sh4m_Skru, AjeedNASA,
    Invisibleman, Zied666 and all my frenz...

  5. The worm puts a different message on a defaced webserver:
    Melhacker WhAcKeRs

    Melhacker + Anacon Gotcha! New Version Of Anacon Worm!
    You Are Hacked By WhAcKeRs Team!

  6. The worm copies itself many times to Startup folder with random name that consists of four numbers. On our test system the worm created more than 250 files in Startup folder.

  7. The worm sends itself in e-mail usually as CSRSS32.EXE. It can also use a four-digit randomly generated name for its attachment, for example 5131.EXE. It should be noted that a recipient of an infected message will see a different attachment's name - CLIMBING.JPG with some e-mail clients, for example with Microsoft Outlook while Netscape shows the attachment name correctly.

  8. The worm can infect EXE files in Windows System directory. Due to bugs in the worm's code it can infect files multiple times.

[Description: F-Secure Anti-Virus Research Team; F-Secure Corp.; June 12th-13th, 2003]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)