McAfee Labs

Update: NGRBot Posing as Skype Drops Ransomware With Fake McAfee Logo

By on Oct 12, 2012

This blog was updated on October 15. See the end of this file.

We recently received a sample of the malware NGRBot from a customer, who got a spam email with what appears to be a Skype link. Victims are lured into clicking a link that promises an image. Once victims click the link, the file skype_09-10-12_image.exe gets dropped on their machines and launches itself, spamming all of their contacts. This bot is also known as Dorgbot. Kaspersky states that the malware was first seen on October 6.

The bot comes with Skype icon and tricks its victims into executing the file.

We have already written about NGRBot earlier here. This sample comes with an additional module to steal credit card and login details.

The new bot module steals login credentials of victims from Gmail, AOL, FastMail, MoneyBookers, Megaupload, SpeedyShare, YouTube, iknowthatgirl, YouPorn, Brazzers, Webnames, Dotster, Enom, 1and1, Moniker, Namecheap, Godaddy, Alertpay, Netflix, Thepiratebay, Torrentleech, Vip-file, Sms4file, Letitbit, Whatcd, eBay, Twitter, Facebook, Yahoo, and PayPal, among others.

The malware can post its lure in different languages.

seen this?? πŸ˜€ %s

poglej to fotografijo πŸ˜€ %s

pogled na ovu fotografiju πŸ˜€ %s

titta pmin bild πŸ˜€ %s

shikoni nfoto πŸ˜€ %s

pozrite sa na tto fotografiu πŸ˜€ %s

uita-te la aceasta fotografie πŸ˜€ %s

katso tkuvaa πŸ˜€ %s

bu resmi bakmak πŸ˜€ %s

olhar para esta foto πŸ˜€ %s

spojrzec na to zdjecie πŸ˜€ %s

se dette bildet πŸ˜€ %s

zd meg a kpet πŸ˜€ %s

ser dette billede πŸ˜€ %s

vejte se na mou fotku πŸ˜€ %s

guardare quest’immagine πŸ˜€ %s

look at this picture πŸ˜€ %s

bekijk deze foto πŸ˜€ %s

mira esta fotografa πŸ˜€ %s

schau mal das foto an πŸ˜€ %s

regardez cette photo πŸ˜€ %s

This malware is widespread. We advise customers to be extra cautious when clicking on links, particularly those with words such as “pic” or image” that appear in the chat windows of messaging software.



We have now seen this bot download and execute ransomware, which locks the victim’s machine and demands money to return control to the user. The lock screen of the ransomware also rips off the McAfee logo. This family of ransomware checks for the victim’s location and then produces the lock screen. It charges about US$200 to release the desktop.

The malware modifies the registry entry “System\CurrentControlSet\Control\SafeBoot” to prevent users from booting into Safe Mode.

The ransomware disables:

  • Taskmgr.exe
  • cmd.exe
  • regedit.exe
  • msconfig.exe

The most recent sample we received also shows porn images in the lock screen.

Leave a Reply

Your email address will not be published. Required fields are marked *