We recently received a sample of the malware NGRBot from a customer, who got a spam email with what appears to be a Skype link. Victims are lured into clicking a link that promises an image. Once victims click the link, the file skype_09-10-12_image.exe gets dropped on their machines and launches itself, spamming all of their contacts. This bot is also known as Dorgbot. Kaspersky states that the malware was first seen on October 6.
The bot comes with Skype icon and tricks its victims into executing the file.
We have already written about NGRBot earlier here. This sample comes with an additional module to steal credit card and login details.
The new bot module steals login credentials of victims from Gmail, AOL, FastMail, MoneyBookers, Megaupload, SpeedyShare, YouTube, iknowthatgirl, YouPorn, Brazzers, Webnames, Dotster, Enom, 1and1, Moniker, Namecheap, Godaddy, Alertpay, Netflix, Thepiratebay, Torrentleech, Vip-file, Sms4file, Letitbit, Whatcd, eBay, Twitter, Facebook, Yahoo, and PayPal, among others.
The malware can post its lure in different languages.
seen this?? 
%s
poglej to fotografijo %s
pogled na ovu fotografiju %s
titta pmin bild %s
shikoni nfoto %s
pozrite sa na tto fotografiu %s
uita-te la aceasta fotografie %s
katso tkuvaa %s
bu resmi bakmak %s
olhar para esta foto %s
spojrzec na to zdjecie %s
se dette bildet %s
zd meg a kpet %s
ser dette billede %s
vejte se na mou fotku %s
guardare quest’immagine %s
look at this picture %s
bekijk deze foto %s
mira esta fotografa %s
schau mal das foto an %s
regardez cette photo %s
This malware is widespread. We advise customers to be extra cautious when clicking on links, particularly those with words such as “pic” or image” that appear in the chat windows of messaging software.
Leave a reply
