Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Win32.Nocan.A@mm

  1. #1

    Win32.Nocan.A@mm

    BitDefender, an award-winning antivirus software producer, today reports a new version of Nocan (Win32.Nocan.B@mm), a mass-mailer virus, very similar to the high-spreading virus Sobig.B (previously known as Palyh). The virus uses mainly the e-mail and the file-sharing networks in order to spread. For the moment, just a few reports of infection, most probable from the author himself, have been received, but the virus has a high-spreading potential. The specialists believe that the author is Melhacker - the same as in the case of Maax.B - a virus discovered during the last week. He might be a member of the VX (virus authors) community. The virus has even the ability to update itself from a web address, which seems to belong to that community.

    “The latest viruses, beginning from Yahaa.B and until this one, use the same mechanisms and probably share the same database of tricks (e-mail subjects, content, antivirus services to be terminated, etc.). They are all Trojans, backdoors, mass-mailers and worms, key-loggers and password-stealers, using in most cases the same techniques to spread and to infect computers”, Patrick Vicol, Virus Researcher at BitDefender stated. “Only the programming approach is a little different. For example, Nocan is made in Visual Basic programming environment – using a very complex structure, with a strong update potential”, Patrick concluded.

    Complexity seems to be the keyword for this last virus: the code contains instructions to copy the virus file into the System32 folder, to modify Windows registry keys, to attempt termination of data security software installed on the system, to send itself as e-mail message to all contacts in the Address Book, to search for most popular IM applications and to copy itself into their shared folders under different, tricky names. The virus is also able to perform DoS attacks against 10 IP addresses, to deface the existing IIS site on the system, to delete files on the hard-drive (C:\Safeweb and all files on the root folder and on the D:\ partition), to steal information (subsequently e-mailed to the address chatza@phreaker.net), to create a backdoor and to download a file (for updating purposes) from a certain URL.

    BitDefender has updated yesterday all its antivirus solutions, to detect and stop the spreading of this new threat. BitDefender experts recommended all users to use the update feature in order to stay protected against any other new viruses.
    The specialists believe that the author is Melhacker - the same as in the case of Maax.B - a virus discovered during the last week. He might be a member of the VX (virus authors) community. The virus has even the ability to update itself from a web address, which seems to belong to that community.
    http://vx.netlux.org/lib/iv035.html (Interview with Trigger from VX Community
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    now let me see........

    Symantec: Nothing

    Google: Nothing

    A look at the page you "reference": Nothing

    Yet the virus has a name that is given by the AV community, (Win32.Nocan.B@mm)........

    Methinks that the name nocan.b might be something like "No can be"..... But that couldn't be could it?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Could this be a typo?
    Could it be Naco.B Thread found here
    http://www.antionline.com/showthread...hreadid=244217

    Looking at the Bitdefender site I think not.. it seems to be different..

    http://www.bitdefender.com/bd/site/v..._id=1&v_id=128

    Name: Win32.Nocan.A@mm
    Aliases: N/A
    Type: Executable Mass Mailer
    Size: 86,016 bytes (137,651 bytes dropper)
    Discovered: 26.05.2003
    Detected: 26.05.2003
    Spreading: Low
    Damage: Low
    In The Wild: Yes

    Symptoms:
    Presence of the following file in %SYSTEM% folder (86,016 bytes):
    SYSPOLY32.EXE

    Presence of any of the following files in %SYSTEM% folder (137,651 bytes each):
    ANACON.EXE
    BUILD.EXE
    FORCE.EXE
    SCAN.EXE
    RUNTIME.EXE
    HANGUP.EXE
    HUNGRY.EXE
    THINGS.EXE
    AGAINST.EXE
    WARS.EXE

    Presence of the next registry keys:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Nocana"= "%SYSTEM%\wars.exe"]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AHU"= "%SYSTEM%\SYSPOLY32.EXE"]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ "InterceptedSystem"="%SYSTEM%\SYSPOLY32.EXE"]

    where %SYSTEM% points to Windows\System folder.
    I am tired.. and haven't fully read the info on both sites so I may be wrong..
    I will look at it in the morrow..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    Well officially by Bitdefender they reply:

    I read the posting of mr tiger and here are my comments:
    the virus exists, just that it has another name (for example at Symantec it's called W32.Naco.B@mm). Another point is that Google could not have indexed the pages that talk about this virus for the simple reason that this usually happens in a couple of hours, say 6-7.

    In the rest, the posting does not say anything new. In fact,
    it's disinforming.

    Well, you can make a posting out of this info. I could make myself, but have to register first, which I'll do as soon as I can!!
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Support: Please feel free to forward this to BitDefender or point them to it.

    1. It would be _real_ nice if Bitdefender, and all the other AV companies would standardize their naming so they all get the same names.....

    2. BitDefender stated that there were only a few reported cases "most probable from the author himself"...... Sorry BitDefender, that doesn't give a whole lot of creedence to it's _actual_ existence........ It's kind of like the terrorist phoning in fake bomb threats.... The terror is the same but the substance is lacking.

    3. Please note the spelling error in that quote above...... While I hate picking on spelling errors it is interesting to note that most viruses and almost all the hoaxes contain grammatical/spelling errors. It helps BitDefender's image and credibility therefore if they can raise themselves above the level of the people they pit themselves against.

    4. If you are going to pick a name for a virus let's try to make it believable....... Come on.... No Can Be!!!!!!! That's the name of a hoax if I ever heard one........

    5. Please show Mr. Tiger where _exactly_ he was "disinforming". The remainder of the post was a question....... When was a question "disinforming"???????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Well I forward the link to them in order to read it and talk with you if they wish. Sometimes it is difficult to be in the middle.
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  7. #7
    NACO.B from F-Secure: http://www.f-secure.com/v-descs/naco_b.shtml
    Win32.Nocan.B@mm : http://www.bitdefender.com/bd/site/v..._id=1&v_id=128
    Naco.B from Panda: http://www.pandasoftware.com/virus_i...?idvirus=39708

    More or less they look the same to me Sharky!!
    I think we end the story now as for the names leave the companies to solve this problem themselves. I think the the names is not the really problem for a experienced user.
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Just a nudge Suport but did you check the thread I mentioned earlier?

    it is a pest when the AV companies give their own names to virii, worse is when they won't/don't acknowledge another companies findings.. accept that early on it is messy..

    Here is an excerpt form sysmantec's listing on Naco.b tonight
    Also Known As: W32/Naco.b@MM [McAfee], Win32.Naco.B [CA], WORM_NACO.B [Trend], W32/Anacon-B [Sophos], I-Worm.Nocana.b [KAV]
    good bloody list hey..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Support: Monday morning quarterbacking is a wonderful thing.......

    Simple fact is that at the time BitDefender put out this warning about a virus that _they_ had randomly named, that they themselves said had probably only been reported by it's creator there was no other way for me to verify the veracity of their claim. Add to that the fact that they, (maybe because of their limited English), came up with a name that looked so much like a hoax I cannot be blamed for being sceptical about the report in the first place.

    The fact that the three, differently named, virii look the same and are the same today does not in any way mean that my observations at the time were any less valid.......

    I learned many years ago to live by the following phrase, "Don't assume...... Check!!!!" I did, there was no evidence to imply that this was a valid virus or another of the many hoaxes. I simply am not the sort of person to get my knickers in a bunch because some little known foreign AV company trying to make a name for themselves plonks down warnings based on reports from a virus writer..... That is laughable.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Well Tiger. Due to the fact that a virus name is a confusing thing sometimes I started reading how about to reslolve such a thing. I started from Wildlist : an article : How Scientific Naming Works @ http://www.wildlist.org/naming.htm. Well the article is too old but it is worth reading which I think you might have done already. If you got something newer about this matter drop me a reply.

    P.S What I dislike sometimes in Anti Online is that some users including yourself critisizing other's people english. In my personal view this think is a kind of ratsism.
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •