NGRBot Spreads Via Chat

NGRBot is a worm that propagates through chat messengers, the Internet Relay Chat channel, social networking sites etc. It steals FTP and browser passwords and can cause a denial of service by flooding.

NGRBots use the IRC network for file transfer, sending and receiving commands between zombie network machines and the attacker’s IRC server, and monitoring and controlling network connectivity and intercept. It employs a user-mode rootkit technique to hide and steal its victim’s information. This family of bot is also designed to infect HTML pages with iframes, causing redirections, blocking victims from getting updates from security/antimalware products, and killing those services. The bot is designed to connect via a predefined IRC channel and communicate with a remote botnet.

Figure 1: We see “ngrbot” string in memory.

Once connected to the IRC channel, the bot can function as backdoor and receive commands from a remote attacker.

The following message box is displayed if someone tries to reverse engineer the malware:

Figure 2: NGRBot’s paths of operation and related activity.


A Look at NGRBot: Self-update and DNS-setting modification modules

         RushKill Module                                    Grabber Module

With the help of the Grabber module, the bot can intercept communications between the victim and browser chat and steals the username and password.

Flooder Module Strings

IRC Communicator Module Strings

Spreader Module

String Related to Bot Joining IRC Channel

Behavioral characteristics:

  • Injects into many running processes
  • Hooks several APIs of various loaded modules
  • Injects into explorer.exe and connects to  through post 7171
  • Can spread through removable devices with the autorun.inf
  • Name of sample copy dropped inside %appdata% folder by calling GetVolumeInformation() API for Hard Disk serial number

NGRBot uses mutual exclusion to ensure one of its instances is always running:

A message from the NGRBot author and the script file for deleting downloaded files

NGRBot downloads other malicious files onto a victim’s machine. We noticed the fake AV Live Platinum Security (8.exe in the next screen) and the trojan KillAV (7.exe) in the %appdata% folder and then executing.

The dropped malwares survive after rebooting by making “Run” entries on the machine.

The dropped KillAV Trojan has many antidebugging tricks to make it difficult to reverse-engineer. This Trojan also checks for more than 100 running security/antimalware processes and kills them.

scfmanager Fsaw livesrv mscif vir.exe
savser Fspex bdmcon mpft webproxy
savadmins fsm32 bdagent mpfser pavfnsvr
alsvc Tsanti xcommsvr mpfag avengine
almon Kavpf PXConsole mcvss avciman
npfmsg2 Kav PXAgent mcvs apvxdwin
zlh dpasnt kpf4ss mcupd avp
zanda Msfw kpf4gui mcupdm cavtray
cclaw msmps sunthreate mctsk cavrid
npfsvice mpeng sunserv mcshi
njeeves Msco sunprotect mcdet
nipsvc winssno counter mcage
nip symlcsvc clamwin zlcli
nvcsched spbbcsvc clamtray vsmon
nvcoas sndsrvc avgnt webroot
spidernt nscsrvce avguard spysw
spiderui navapsvc avesvc firewalln
drweb ccsetmgr avcenter vrmo
pxcons ccproxy ashwebsv vrfw
pxagent ccetvm ashdisp hsock
guardxkickoff Ccapp ashmaisv wmiprv
vba32ldr alusched ashserv mxtask
nod32kui Oascl isafe caissdt


The Trojan connects to two sites:


The Fake AV Live Security Platinum blocks victims from several files:

  • regsvr32.exe
  • cmd.exe
  • rundll32.exe
  • regedit.exe
  • verclsid.exe
  • ipconfig.exe

The malware stops the victim from downloading files with the following file extensions:

  • exe
  • com
  • pif
  • scr


Advice to Customers

McAfee successfully unhooks and completely cleans the malware. Update your scanners with the latest DATs. Avoid clicking on suspicious links in chat windows or on social networking sites without first searching online. Beware of social engineering tricks used by malware authors to lure victims into clicking malicious links. Make sure you have a reputable firewall installed in your machine.