Update: NGRBot Posing as Skype Drops Ransomware With Fake McAfee Logo

October 12, 2012

This blog was updated on October 15. See the end of this file.

We recently received a sample of the malware NGRBot from a customer, who got a spam email with what appears to be a Skype link. Victims are lured into clicking a link that promises an image. Once victims click the link, the file skype_09-10-12_image.exe gets dropped on their machines and launches itself, spamming all of their contacts. This bot is also known as Dorgbot. Kaspersky states that the malware was first seen on October 6.

The bot comes with Skype icon and tricks its victims into executing the file.

We have already written about NGRBot earlier here. This sample comes with an additional module to steal credit card and login details.

The new bot module steals login credentials of victims from Gmail, AOL, FastMail, MoneyBookers, Megaupload, SpeedyShare, YouTube, iknowthatgirl, YouPorn, Brazzers, Webnames, Dotster, Enom, 1and1, Moniker, Namecheap, Godaddy, Alertpay, Netflix, Thepiratebay, Torrentleech, Vip-file, Sms4file, Letitbit, Whatcd, eBay, Twitter, Facebook, Yahoo, and PayPal, among others.

The malware can post its lure in different languages.

seen this?? :D %s

poglej to fotografijo :D %s

pogled na ovu fotografiju :D %s

titta pmin bild :D %s

shikoni nfoto :D %s

pozrite sa na tto fotografiu :D %s

uita-te la aceasta fotografie :D %s

katso tkuvaa :D %s

bu resmi bakmak :D %s

olhar para esta foto :D %s

spojrzec na to zdjecie :D %s

se dette bildet :D %s

zd meg a kpet :D %s

ser dette billede :D %s

vejte se na mou fotku :D %s

guardare quest’immagine :D %s

look at this picture :D %s

bekijk deze foto :D %s

mira esta fotografa :D %s

schau mal das foto an :D %s

regardez cette photo :D %s

This malware is widespread. We advise customers to be extra cautious when clicking on links, particularly those with words such as “pic” or image” that appear in the chat windows of messaging software.

 

Update

We have now seen this bot download and execute ransomware, which locks the victim’s machine and demands money to return control to the user. The lock screen of the ransomware also rips off the McAfee logo. This family of ransomware checks for the victim’s location and then produces the lock screen. It charges about US$200 to release the desktop.

The malware modifies the registry entry “System\CurrentControlSet\Control\SafeBoot” to prevent users from booting into Safe Mode.

The ransomware disables:

  • Taskmgr.exe
  • cmd.exe
  • regedit.exe
  • msconfig.exe

The most recent sample we received also shows porn images in the lock screen.
Ransomware