McAfee Labs

Update: NGRBot Posing as Skype Drops Ransomware With Fake McAfee Logo

0
By on Oct 12, 2012

This blog was updated on October 15. See the end of this file.

We recently received a sample of the malware NGRBot from a customer, who got a spam email with what appears to be a Skype link. Victims are lured into clicking a link that promises an image. Once victims click the link, the file skype_09-10-12_image.exe gets dropped on their machines and launches itself, spamming all of their contacts. This bot is also known as Dorgbot. Kaspersky states that the malware was first seen on October 6.

The bot comes with Skype icon and tricks its victims into executing the file.

We have already written about NGRBot earlier here. This sample comes with an additional module to steal credit card and login details.

The new bot module steals login credentials of victims from Gmail, AOL, FastMail, MoneyBookers, Megaupload, SpeedyShare, YouTube, iknowthatgirl, YouPorn, Brazzers, Webnames, Dotster, Enom, 1and1, Moniker, Namecheap, Godaddy, Alertpay, Netflix, Thepiratebay, Torrentleech, Vip-file, Sms4file, Letitbit, Whatcd, eBay, Twitter, Facebook, Yahoo, and PayPal, among others.

The malware can post its lure in different languages.

seen this?? ๐Ÿ˜€ %s

poglej to fotografijo ๐Ÿ˜€ %s

pogled na ovu fotografiju ๐Ÿ˜€ %s

titta pmin bild ๐Ÿ˜€ %s

shikoni nfoto ๐Ÿ˜€ %s

pozrite sa na tto fotografiu ๐Ÿ˜€ %s

uita-te la aceasta fotografie ๐Ÿ˜€ %s

katso tkuvaa ๐Ÿ˜€ %s

bu resmi bakmak ๐Ÿ˜€ %s

olhar para esta foto ๐Ÿ˜€ %s

spojrzec na to zdjecie ๐Ÿ˜€ %s

se dette bildet ๐Ÿ˜€ %s

zd meg a kpet ๐Ÿ˜€ %s

ser dette billede ๐Ÿ˜€ %s

vejte se na mou fotku ๐Ÿ˜€ %s

guardare quest’immagine ๐Ÿ˜€ %s

look at this picture ๐Ÿ˜€ %s

bekijk deze foto ๐Ÿ˜€ %s

mira esta fotografa ๐Ÿ˜€ %s

schau mal das foto an ๐Ÿ˜€ %s

regardez cette photo ๐Ÿ˜€ %s

This malware is widespread. We advise customers to be extra cautious when clicking on links, particularly those with words such as “pic” or image” that appear in the chat windows of messaging software.

 

Update

We have now seen this bot download and execute ransomware, which locks the victimโ€™s machine and demands money to return control to the user. The lock screen of the ransomware also rips off the McAfee logo. This family of ransomware checks for the victimโ€™s location and then produces the lock screen. It charges about US$200 to release the desktop.

The malware modifies the registry entry “System\CurrentControlSet\Control\SafeBoot” to prevent users from booting into Safe Mode.

The ransomware disables:

  • Taskmgr.exe
  • cmd.exe
  • regedit.exe
  • msconfig.exe

The most recent sample we received also shows porn images in the lock screen.
Ransomware


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>