BitDefender, an award-winning antivirus software producer, today reports a new version of Nocan (Win32.Nocan.B@mm), a mass-mailer virus, very similar to the high-spreading virus Sobig.B (previously known as Palyh). The virus uses mainly the e-mail and the file-sharing networks in order to spread. For the moment, just a few reports of infection, most probable from the author himself, have been received, but the virus has a high-spreading potential. The specialists believe that the author is Melhacker - the same as in the case of Maax.B - a virus discovered during the last week. He might be a member of the VX (virus authors) community. The virus has even the ability to update itself from a web address, which seems to belong to that community.

“The latest viruses, beginning from Yahaa.B and until this one, use the same mechanisms and probably share the same database of tricks (e-mail subjects, content, antivirus services to be terminated, etc.). They are all Trojans, backdoors, mass-mailers and worms, key-loggers and password-stealers, using in most cases the same techniques to spread and to infect computers”, Patrick Vicol, Virus Researcher at BitDefender stated. “Only the programming approach is a little different. For example, Nocan is made in Visual Basic programming environment – using a very complex structure, with a strong update potential”, Patrick concluded.

Complexity seems to be the keyword for this last virus: the code contains instructions to copy the virus file into the System32 folder, to modify Windows registry keys, to attempt termination of data security software installed on the system, to send itself as e-mail message to all contacts in the Address Book, to search for most popular IM applications and to copy itself into their shared folders under different, tricky names. The virus is also able to perform DoS attacks against 10 IP addresses, to deface the existing IIS site on the system, to delete files on the hard-drive (C:\Safeweb and all files on the root folder and on the D:\ partition), to steal information (subsequently e-mailed to the address chatza@phreaker.net), to create a backdoor and to download a file (for updating purposes) from a certain URL.

BitDefender has updated yesterday all its antivirus solutions, to detect and stop the spreading of this new threat. BitDefender experts recommended all users to use the update feature in order to stay protected against any other new viruses.


The specialists believe that the author is Melhacker - the same as in the case of Maax.B - a virus discovered during the last week. He might be a member of the VX (virus authors) community. The virus has even the ability to update itself from a web address, which seems to belong to that community.

http://vx.netlux.org/lib/iv035.html (Interview with Trigger from VX Community

now let me see........

Symantec: Nothing

Google: Nothing

A look at the page you "reference": Nothing

Yet the virus has a name that is given by the AV community, (Win32.Nocan.B@mm)........

Methinks that the name nocan.b might be something like "No can be"..... But that couldn't be could it?

Could this be a typo?
Could it be Naco.B Thread found here
http://www.antionline.com/showthread.php?s=&threadid=244217

Looking at the Bitdefender site I think not.. it seems to be different..

http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=128

Name: Win32.Nocan.A@mm
Aliases: N/A
Type: Executable Mass Mailer
Size: 86,016 bytes (137,651 bytes dropper)
Discovered: 26.05.2003
Detected: 26.05.2003
Spreading: Low
Damage: Low
In The Wild: Yes

Symptoms:
Presence of the following file in %SYSTEM% folder (86,016 bytes):
SYSPOLY32.EXE

Presence of any of the following files in %SYSTEM% folder (137,651 bytes each):
ANACON.EXE
BUILD.EXE
FORCE.EXE
SCAN.EXE
RUNTIME.EXE
HANGUP.EXE
HUNGRY.EXE
THINGS.EXE
AGAINST.EXE
WARS.EXE

Presence of the next registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Nocana"= "%SYSTEM%\wars.exe"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AHU"= "%SYSTEM%\SYSPOLY32.EXE"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ "InterceptedSystem"="%SYSTEM%\SYSPOLY32.EXE"]

where %SYSTEM% points to Windows\System folder.



I am tired.. and haven't fully read the info on both sites so I may be wrong..
I will look at it in the morrow..


Cheers

Well officially by Bitdefender they reply:

I read the posting of mr tiger and here are my comments:
the virus exists, just that it has another name (for example at Symantec it's called W32.Naco.B@mm). Another point is that Google could not have indexed the pages that talk about this virus for the simple reason that this usually happens in a couple of hours, say 6-7.

In the rest, the posting does not say anything new. In fact,
it's disinforming.

Well, you can make a posting out of this info. I could make myself, but have to register first, which I'll do as soon as I can!! :)

Support: Please feel free to forward this to BitDefender or point them to it.

1. It would be _real_ nice if Bitdefender, and all the other AV companies would standardize their naming so they all get the same names.....

2. BitDefender stated that there were only a few reported cases "most probable from the author himself"...... Sorry BitDefender, that doesn't give a whole lot of creedence to it's _actual_ existence........ It's kind of like the terrorist phoning in fake bomb threats.... The terror is the same but the substance is lacking.

3. Please note the spelling error in that quote above...... While I hate picking on spelling errors it is interesting to note that most viruses and almost all the hoaxes contain grammatical/spelling errors. It helps BitDefender's image and credibility therefore if they can raise themselves above the level of the people they pit themselves against.

4. If you are going to pick a name for a virus let's try to make it believable....... Come on.... No Can Be!!!!!!! That's the name of a hoax if I ever heard one........

5. Please show Mr. Tiger where _exactly_ he was "disinforming". The remainder of the post was a question....... When was a question "disinforming"???????

Well I forward the link to them in order to read it and talk with you if they wish. Sometimes it is difficult to be in the middle. :)

NACO.B from F-Secure: http://www.f-secure.com/v-descs/naco_b.shtml
Win32.Nocan.B@mm : http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=128
Naco.B from Panda: http://www.pandasoftware.com/virus_info/encyclopedia/details.aspx?idvirus=39708

More or less they look the same to me Sharky!!
I think we end the story now as for the names leave the companies to solve this problem themselves. I think the the names is not the really problem for a experienced user.

Just a nudge Suport but did you check the thread I mentioned earlier? (http://www.antionline.com/showthread.php?s=&threadid=244217)

it is a pest when the AV companies give their own names to virii, worse is when they won't/don't acknowledge another companies findings.. accept that early on it is messy..

Here is an excerpt form sysmantec's listing on Naco.b tonight
Also Known As: W32/Naco.b@MM [McAfee], Win32.Naco.B [CA], WORM_NACO.B [Trend], W32/Anacon-B [Sophos], I-Worm.Nocana.b [KAV]

good bloody list hey..

cheers

Support: Monday morning quarterbacking is a wonderful thing.......

Simple fact is that at the time BitDefender put out this warning about a virus that _they_ had randomly named, that they themselves said had probably only been reported by it's creator there was no other way for me to verify the veracity of their claim. Add to that the fact that they, (maybe because of their limited English), came up with a name that looked so much like a hoax I cannot be blamed for being sceptical about the report in the first place.

The fact that the three, differently named, virii look the same and are the same today does not in any way mean that my observations at the time were any less valid.......

I learned many years ago to live by the following phrase, "Don't assume...... Check!!!!" I did, there was no evidence to imply that this was a valid virus or another of the many hoaxes. I simply am not the sort of person to get my knickers in a bunch because some little known foreign AV company trying to make a name for themselves plonks down warnings based on reports from a virus writer..... That is laughable.......

Well Tiger. Due to the fact that a virus name is a confusing thing sometimes I started reading how about to reslolve such a thing. I started from Wildlist : an article : How Scientific Naming Works @ http://www.wildlist.org/naming.htm. Well the article is too old but it is worth reading which I think you might have done already. If you got something newer about this matter drop me a reply.

P.S What I dislike sometimes in Anti Online is that some users including yourself critisizing other's people english. In my personal view this think is a kind of ratsism.

Support: I stand by everything I have said in this thread.

With regard to your comment about some AOer's criticising other's English I would state the following two points:

1. Nowhere, but nowhere, in the however many messages I have posted will you see me criticising other AOer's English and, to be quite honest, I cannot recall seeing anyone else criticising another's English. I can recall numerous occasions where clarification of what has been said has been requested but there is a good reason for that. This business requires a certain amount of accuracy. Failure to properly communicate a problem will normally result in an incorrect, or worse, more damaging solution. Thus, a request for clarification of what has been said should, in no way, be considered criticism, but rather an honest attempt to ensure that one can be as helpful as possible.

2. Yes, I criticised BitDefender's English but firstly they are not another AOer. More importantly this is a company that is trying to make it's way in the business world. More specifically they are trying to solicit customers from the English speaking business world. It is therefore incumbent upon them to ensure that their releases are made in proper English with correct spelling and grammar. Frankly, it doesn't say much for BitDefender's attention to detail, (which is paramount when you are selling a product designed to _protect_ others), that they have not yet learned that Microsoft Word, (English version), has both a spell checker and a grammar checker built in. Thus the simple little act of passing their releases through Word prior to publication would go a long way in enhancing their credibility with the audience they are trying to sell to and that, in the long run, will be reflected in their annual profits.