-
May 27th, 2003, 12:55 PM
#1
Member
Win32.Nocan.A@mm
BitDefender, an award-winning antivirus software producer, today reports a new version of Nocan (Win32.Nocan.B@mm), a mass-mailer virus, very similar to the high-spreading virus Sobig.B (previously known as Palyh). The virus uses mainly the e-mail and the file-sharing networks in order to spread. For the moment, just a few reports of infection, most probable from the author himself, have been received, but the virus has a high-spreading potential. The specialists believe that the author is Melhacker - the same as in the case of Maax.B - a virus discovered during the last week. He might be a member of the VX (virus authors) community. The virus has even the ability to update itself from a web address, which seems to belong to that community.
“The latest viruses, beginning from Yahaa.B and until this one, use the same mechanisms and probably share the same database of tricks (e-mail subjects, content, antivirus services to be terminated, etc.). They are all Trojans, backdoors, mass-mailers and worms, key-loggers and password-stealers, using in most cases the same techniques to spread and to infect computers”, Patrick Vicol, Virus Researcher at BitDefender stated. “Only the programming approach is a little different. For example, Nocan is made in Visual Basic programming environment – using a very complex structure, with a strong update potential”, Patrick concluded.
Complexity seems to be the keyword for this last virus: the code contains instructions to copy the virus file into the System32 folder, to modify Windows registry keys, to attempt termination of data security software installed on the system, to send itself as e-mail message to all contacts in the Address Book, to search for most popular IM applications and to copy itself into their shared folders under different, tricky names. The virus is also able to perform DoS attacks against 10 IP addresses, to deface the existing IIS site on the system, to delete files on the hard-drive (C:\Safeweb and all files on the root folder and on the D:\ partition), to steal information (subsequently e-mailed to the address chatza@phreaker.net), to create a backdoor and to download a file (for updating purposes) from a certain URL.
BitDefender has updated yesterday all its antivirus solutions, to detect and stop the spreading of this new threat. BitDefender experts recommended all users to use the update feature in order to stay protected against any other new viruses.
The specialists believe that the author is Melhacker - the same as in the case of Maax.B - a virus discovered during the last week. He might be a member of the VX (virus authors) community. The virus has even the ability to update itself from a web address, which seems to belong to that community.
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 27th, 2003, 01:13 PM
#2
now let me see........
Symantec: Nothing
Google: Nothing
A look at the page you "reference": Nothing
Yet the virus has a name that is given by the AV community, (Win32.Nocan.B@mm)........
Methinks that the name nocan.b might be something like "No can be"..... But that couldn't be could it?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 27th, 2003, 03:28 PM
#3
Could this be a typo?
Could it be Naco.B Thread found here
http://www.antionline.com/showthread...hreadid=244217
Looking at the Bitdefender site I think not.. it seems to be different..
http://www.bitdefender.com/bd/site/v..._id=1&v_id=128
Name: Win32.Nocan.A@mm
Aliases: N/A
Type: Executable Mass Mailer
Size: 86,016 bytes (137,651 bytes dropper)
Discovered: 26.05.2003
Detected: 26.05.2003
Spreading: Low
Damage: Low
In The Wild: Yes
Symptoms:
Presence of the following file in %SYSTEM% folder (86,016 bytes):
SYSPOLY32.EXE
Presence of any of the following files in %SYSTEM% folder (137,651 bytes each):
ANACON.EXE
BUILD.EXE
FORCE.EXE
SCAN.EXE
RUNTIME.EXE
HANGUP.EXE
HUNGRY.EXE
THINGS.EXE
AGAINST.EXE
WARS.EXE
Presence of the next registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Nocana"= "%SYSTEM%\wars.exe"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AHU"= "%SYSTEM%\SYSPOLY32.EXE"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ "InterceptedSystem"="%SYSTEM%\SYSPOLY32.EXE"]
where %SYSTEM% points to Windows\System folder.
I am tired.. and haven't fully read the info on both sites so I may be wrong..
I will look at it in the morrow..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
May 27th, 2003, 05:16 PM
#4
Member
Well officially by Bitdefender they reply:
I read the posting of mr tiger and here are my comments:
the virus exists, just that it has another name (for example at Symantec it's called W32.Naco.B@mm). Another point is that Google could not have indexed the pages that talk about this virus for the simple reason that this usually happens in a couple of hours, say 6-7.
In the rest, the posting does not say anything new. In fact,
it's disinforming.
Well, you can make a posting out of this info. I could make myself, but have to register first, which I'll do as soon as I can!!
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 27th, 2003, 05:45 PM
#5
Support: Please feel free to forward this to BitDefender or point them to it.
1. It would be _real_ nice if Bitdefender, and all the other AV companies would standardize their naming so they all get the same names.....
2. BitDefender stated that there were only a few reported cases "most probable from the author himself"...... Sorry BitDefender, that doesn't give a whole lot of creedence to it's _actual_ existence........ It's kind of like the terrorist phoning in fake bomb threats.... The terror is the same but the substance is lacking.
3. Please note the spelling error in that quote above...... While I hate picking on spelling errors it is interesting to note that most viruses and almost all the hoaxes contain grammatical/spelling errors. It helps BitDefender's image and credibility therefore if they can raise themselves above the level of the people they pit themselves against.
4. If you are going to pick a name for a virus let's try to make it believable....... Come on.... No Can Be!!!!!!! That's the name of a hoax if I ever heard one........
5. Please show Mr. Tiger where _exactly_ he was "disinforming". The remainder of the post was a question....... When was a question "disinforming"???????
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 27th, 2003, 06:35 PM
#6
Member
Well I forward the link to them in order to read it and talk with you if they wish. Sometimes it is difficult to be in the middle.
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 28th, 2003, 07:18 AM
#7
Member
NACO.B from F-Secure: http://www.f-secure.com/v-descs/naco_b.shtml
Win32.Nocan.B@mm : http://www.bitdefender.com/bd/site/v..._id=1&v_id=128
Naco.B from Panda: http://www.pandasoftware.com/virus_i...?idvirus=39708
More or less they look the same to me Sharky!!
I think we end the story now as for the names leave the companies to solve this problem themselves. I think the the names is not the really problem for a experienced user.
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 28th, 2003, 12:28 PM
#8
Just a nudge Suport but did you check the thread I mentioned earlier?
it is a pest when the AV companies give their own names to virii, worse is when they won't/don't acknowledge another companies findings.. accept that early on it is messy..
Here is an excerpt form sysmantec's listing on Naco.b tonight
Also Known As: W32/Naco.b@MM [McAfee], Win32.Naco.B [CA], WORM_NACO.B [Trend], W32/Anacon-B [Sophos], I-Worm.Nocana.b [KAV]
good bloody list hey..
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
May 28th, 2003, 01:20 PM
#9
Support: Monday morning quarterbacking is a wonderful thing.......
Simple fact is that at the time BitDefender put out this warning about a virus that _they_ had randomly named, that they themselves said had probably only been reported by it's creator there was no other way for me to verify the veracity of their claim. Add to that the fact that they, (maybe because of their limited English), came up with a name that looked so much like a hoax I cannot be blamed for being sceptical about the report in the first place.
The fact that the three, differently named, virii look the same and are the same today does not in any way mean that my observations at the time were any less valid.......
I learned many years ago to live by the following phrase, "Don't assume...... Check!!!!" I did, there was no evidence to imply that this was a valid virus or another of the many hoaxes. I simply am not the sort of person to get my knickers in a bunch because some little known foreign AV company trying to make a name for themselves plonks down warnings based on reports from a virus writer..... That is laughable.......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 29th, 2003, 12:09 PM
#10
Member
Well Tiger. Due to the fact that a virus name is a confusing thing sometimes I started reading how about to reslolve such a thing. I started from Wildlist : an article : How Scientific Naming Works @ http://www.wildlist.org/naming.htm. Well the article is too old but it is worth reading which I think you might have done already. If you got something newer about this matter drop me a reply.
P.S What I dislike sometimes in Anti Online is that some users including yourself critisizing other's people english. In my personal view this think is a kind of ratsism.
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|