NgrBot

Ngrbot is a malware that can stole our email, usename, and password. NgrBot is a malware like worm with type trojan that can spread rapidly, because this malware using a different shortcut type normally.


NgrBot we known as a alphabetic icon


And it made using C++ another ability from this malware is can't read by memory (rootkit) to protect itself, they use hooking technique in some API function. But this malware isn't active when the user on safe mode.

The best ability from this malware is how they can steal our user data, ID, or another private account.
And this is the website target from this malware

Click for Website Target :
1. Web Hosting & Domain
- dotster
- 1and1.com
- enom.com
- moniker.com
- namecheap.com
- godaddy.com
- sms4file.com
- dyndns.com

2. Online Payment
- alertpay.com
- paypal.com

3. E Commerce
- netflix.com
- thepiratebay.org
- ebay.com

4. Hacking
- torrentleech.org
- hackforums.com

5. Premium Account
- vip-file.com
- what.cd
- loginid.com
- secure.logmein.com

6. FileHosting
- letitbit.net
- oron.com
- filesonic.com
- speedyshare.com
- uploaded.to.com
- uploading.com
- fileserve.com
- hotfile.com
- 4shared.com
- netload.in.com
- freakshare.com
- mediafire.com
- sendspace.com
- megaupload.com
- depositfiles.com

7. Internet Banking
- officebanking.cl.com
- moneybookers.com
- bcointernacional.com

8. Game
- runescape.com
- steampowered.com

9. Social Networking
- twitter.com
- facebook.com
- bebo.com
- friendster.com
- vkontakte.ru

10. WebMail
- yahoo.com
- mail.live.com
- gmx.com
- Gmail.com
- fastmail.com
- bigstring.com
- screenname.aol.com

11. WebPorn
- IKnowThatGirl.com
- YouPorn.com
- Brazzers.com

12. Etc
- YouTube.com
And this malware also record our keystroke (Like keylogger) in this application

Click for Application :
- pidgin.exe
- wlcomm.exe
- msnmsgr.exe
- msmsgs.exe
- flock.exe
- opera.exe
- chrome.exe
- ieuser.exe
- iexplore.exe
- firefox.exe
And Ngrbot have many variants, and this is variants from Ngrbot

Click for Variants :
1. NgrBot
Host NgrBot is in the Application Data folder with a random name and extension (.Exe / .Tmp). In addition, NgrBot also hiding behind a RECYCLER folder which made by this malware after the removable disk is connected to the infected computer.

2. NgrBot.drp.A


The one of dropper from NgrBot that in startup folder which extract NgrBot.exe.A and NgrBot.bat

3. NgrBot.drp.B
Variant of NgrBot which places in Application Data, that have a function same with NgrBot.drp.A

4. NgrBot.lnk


Different from the other shortcut, NgrBot.lnk add another parameter in their shortcut, example:

%windir%\system32\cmd.exe /c "start %cd%RECYCLER\bcd8f464.exe &&%windir%\explorer.exe %cd%Removal

%windir%\system32\cmd.exe /c “start => Call Command Prompt that add a parameter “/c” that mean after we execute file will automatically close Command Prompt. And there is “start too, this is use for to execute a file
%cd% => Parameter that use for access a folder
RECYCLER\bcd8f464.exe => This is used to access folder RECYCLER where in this folder have host virus with name “bcd8f464.exe”
%windir%\explorer.exe =>  Call explorer.exe to open folder which name same as shortcut name that we launch, to make other people believed that shortcut is a normally folder
Removal => Example of folder name

5. NgrBot.bat


One of companion that use to execute and add a special parameter to NgrBot.exe.A

6.  NgrBot.exe.A.



Companion of NgeBot that execute by NgrBot.bat in same path that is folder temporary (temp)

7. NgrBot.dat


Companion that in all off this malware just content off random characters that normally in system32 folder or Documents and Settings folder


8. NgrBot.exe.B.
NgrBot.exe.B. always in User Profile and also make a value in registry with name –“u” so it can launch at startup

9. NgrBot.inf


Same with other malware that used Autorun.inf to launch their malware, without exception NgrBot. They make Autorun.inf too, and it always added a random character.

10. NgrBot.mem


Threads that are in memory and can not be detected by ordinary detection technique because it is a thread that is hidden by a rootkit techniques, also using hooking techniques while monitoring user activity and continue to spread the companion every time removable disks connected to the computer.
And this is some tricks to prevent from this malware

Click for Prevent :
1. Don't click any links that we don't know what is that from chat
2. Tell to friends if they're send a link in chat
3. Update antivirus
4. Always use HTTPS
5. Sign out after use from any website that required login

But if you had infected by this malware you can download PCMAV Express for NgrBot from Here.

Hopefully it will add your knowledge :)

Original: Virus Indonesia
Reactions:

0 comments:

Post a Comment