Home Forums Windows 7 Security Tips

Windows 7
Windows Vista
Windows XP

Security Tips
Keyboard Shortcuts


Internet Terms
Computer Terms

File Extensions (75)
File Extensions (15K+)

Startup Applications
Necessary Files
Useless Files
At Your Option Files
Dangerous Files
Browser Objects

DLL Files
SYS Files
INF Files
OCX Files
VXD Files

Virus Database
Virus Warnings

Easter Eggs
Tips and Tricks
Hot Downloads

Privacy Policy
Contact Us




Nocana is a worm virus spreading via the Internet as an e-mail file attachment via P2P file sharing networks.
The worm contains a backdoor routine.
- opens full access to disk files and system registry keys
- sends information about infected computer
- sends cached passwords
- sends keyboard log
- downloads and executes files from Web
- changes display resolution
- runs DoS attack on several servers

Note that the real attached .EXE file name is hidden by a false .JPG extension(an "extra functionality" of MS Outlook is used to accomplish this deception).
As a result the infected .EXE file is displayed as a .JPG image file, but upon opening the attachment it is executed as a true EXE file.

The worm then installs itself to the system, runs its spreading routine and payload.
While installing the worm copies itself to the Windows directory using the name "ANACON.EXE" and registers this file in the system registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run AHU= %SystemDir%\ANACON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Hvewsveqmg = %SystemDir%\ANACON.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cvfjx = %SystemDir%\ANACON.EXE

The Nocana worm also terminates several anti-virus and active firewall processes.
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.

It also formats the D: drive.
Deletes all files in the current directory (in most cases - Windows system directory).
On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases - Windows directory).

Automatic Removal: Use antivirus (also check How To Remove section)Startup Optimizer to remove it from startup.

Still have a problem? Ask for help at our discussion forum.

Search Dangerous Files :

: : Recent posts at Forums : :

Fatal error: Incompatible file format: The encoded file has format major ID 1, whereas the Loader expects 7 in /home/software/public_html/forum/includes/functions_vbseo.php on line 0