![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/pic12.png\")
<\/a><\/p>\nFigure 1: We see “ngrbot” string in memory.<\/p>\n
Once connected to the IRC channel, the bot can function as backdoor and receive commands from a remote attacker.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/34.png\" "\\"Modules\\"")
<\/p>\n
The following message box is displayed if someone tries to reverse engineer the malware:<\/p>\n
Figure 2: NGRBot\u2019s paths of operation and related activity.<\/p>\n <\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RushKill Module\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Grabber Module<\/strong><\/p>\n With the help of the Grabber module, the bot can intercept communications between the victim and browser chat and steals the username and password.<\/p>\n NGRBot uses mutual exclusion to ensure one of its instances is always running:<\/p>\n A message from the NGRBot author and the script file for deleting downloaded files<\/strong><\/p>\n <\/p>\n The Trojan connects to two sites:<\/p>\n The Fake AV Live Security Platinum blocks victims from several files:<\/p>\n The malware stops the victim from downloading files with the following file extensions:<\/p>\n McAfee successfully unhooks and completely cleans the malware. Update your scanners with the latest DATs. Avoid clicking on suspicious links in chat windows or on social networking sites without first searching online. Beware of social engineering tricks used by malware authors to lure victims into clicking malicious links. Make sure you have a reputable firewall installed in your machine.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" NGRBot is a worm that propagates through chat messengers, the Internet Relay Chat channel, social networking sites etc. It steals…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[49],"coauthors":[3973],"class_list":["post-18705","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-botnet"],"acf":[],"yoast_head":"\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/sec1.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/61.png\")
<\/a><\/p>\nA Look at NGRBot: Self-update and DNS-setting modification modules<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/71.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/8.png\")
<\/a><\/p>\nFlooder Module Strings<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/10.png\")
<\/a><\/p>\nIRC Communicator Module Strings<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/112.png\")
<\/a><\/p>\nSpreader Module<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/12.png\")
<\/a><\/p>\nString Related to Bot Joining IRC Channel<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/13.png\")
<\/a><\/p>\nBehavioral characteristics:<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/14.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/15.png\")
<\/a><\/p>\n\n\n
\n scfmanager<\/td>\n Fsaw<\/td>\n livesrv<\/td>\n mscif<\/td>\n vir.exe<\/td>\n<\/tr>\n \n savser<\/td>\n Fspex<\/td>\n bdmcon<\/td>\n mpft<\/td>\n webproxy<\/td>\n<\/tr>\n \n savadmins<\/td>\n fsm32<\/td>\n bdagent<\/td>\n mpfser<\/td>\n pavfnsvr<\/td>\n<\/tr>\n \n alsvc<\/td>\n Tsanti<\/td>\n xcommsvr<\/td>\n mpfag<\/td>\n avengine<\/td>\n<\/tr>\n \n almon<\/td>\n Kavpf<\/td>\n PXConsole<\/td>\n mcvss<\/td>\n avciman<\/td>\n<\/tr>\n \n npfmsg2<\/td>\n Kav<\/td>\n PXAgent<\/td>\n mcvs<\/td>\n apvxdwin<\/td>\n<\/tr>\n \n zlh<\/td>\n dpasnt<\/td>\n kpf4ss<\/td>\n mcupd<\/td>\n avp<\/td>\n<\/tr>\n \n zanda<\/td>\n Msfw<\/td>\n kpf4gui<\/td>\n mcupdm<\/td>\n cavtray<\/td>\n<\/tr>\n \n cclaw<\/td>\n msmps<\/td>\n sunthreate<\/td>\n mctsk<\/td>\n cavrid<\/td>\n<\/tr>\n \n npfsvice<\/td>\n mpeng<\/td>\n sunserv<\/td>\n mcshi<\/td>\n <\/td>\n<\/tr>\n \n njeeves<\/td>\n Msco<\/td>\n sunprotect<\/td>\n mcdet<\/td>\n <\/td>\n<\/tr>\n \n nipsvc<\/td>\n winssno<\/td>\n counter<\/td>\n mcage<\/td>\n <\/td>\n<\/tr>\n \n nip<\/td>\n symlcsvc<\/td>\n clamwin<\/td>\n zlcli<\/td>\n <\/td>\n<\/tr>\n \n nvcsched<\/td>\n spbbcsvc<\/td>\n clamtray<\/td>\n vsmon<\/td>\n <\/td>\n<\/tr>\n \n nvcoas<\/td>\n sndsrvc<\/td>\n avgnt<\/td>\n webroot<\/td>\n <\/td>\n<\/tr>\n \n spidernt<\/td>\n nscsrvce<\/td>\n avguard<\/td>\n spysw<\/td>\n <\/td>\n<\/tr>\n \n spiderui<\/td>\n navapsvc<\/td>\n avesvc<\/td>\n firewalln<\/td>\n <\/td>\n<\/tr>\n \n drweb<\/td>\n ccsetmgr<\/td>\n avcenter<\/td>\n vrmo<\/td>\n <\/td>\n<\/tr>\n \n pxcons<\/td>\n ccproxy<\/td>\n ashwebsv<\/td>\n vrfw<\/td>\n <\/td>\n<\/tr>\n \n pxagent<\/td>\n ccetvm<\/td>\n ashdisp<\/td>\n hsock<\/td>\n <\/td>\n<\/tr>\n \n guardxkickoff<\/td>\n Ccapp<\/td>\n ashmaisv<\/td>\n wmiprv<\/td>\n <\/td>\n<\/tr>\n \n vba32ldr<\/td>\n alusched<\/td>\n ashserv<\/td>\n mxtask<\/td>\n <\/td>\n<\/tr>\n \n nod32kui<\/td>\n Oascl<\/td>\n isafe<\/td>\n caissdt<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n
\n
\n
Advice to Customers<\/strong><\/h2>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/16.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/09\/17.png\")
<\/a><\/p>\n