Ngrbot is a malware that can stole our email, usename, and password. NgrBot is a malware like worm with type trojan that can spread rapidly, because this malware using a different shortcut type normally.
NgrBot we known as a alphabetic icon
And it made using C++ another ability from this malware is can't read by memory (rootkit) to protect itself, they use hooking technique in some API function. But this malware isn't active when the user on safe mode.
The best ability from this malware is how they can steal our user data, ID, or another private account.
And this is the website target from this malware
And Ngrbot have many variants, and this is variants from Ngrbot
Click for Variants :
1. NgrBot
Host NgrBot is in the Application Data folder with a random name and extension (.Exe / .Tmp). In addition, NgrBot also hiding behind a RECYCLER folder which made by this malware after the removable disk is connected to the infected computer.
2. NgrBot.drp.A
The one of dropper from NgrBot that in startup folderwhich extract NgrBot.exe.A and NgrBot.bat
3. NgrBot.drp.B Variant of NgrBot which places in Application Data, that have a function same with NgrBot.drp.A
4. NgrBot.lnk
Different from the other shortcut, NgrBot.lnk add another parameter in their shortcut, example:
• %windir%\system32\cmd.exe /c “start => Call Command Prompt that add a parameter “/c” that mean after we execute file will automatically close Command Prompt. And there is “start too, this is use for to execute a file
• %cd% => Parameter that use for access a folder • RECYCLER\bcd8f464.exe => This is used to access folder RECYCLER where in this folder have host virus with name “bcd8f464.exe”
• %windir%\explorer.exe => Call explorer.exe to open folder which name same as shortcut name that we launch, to make other people believed that shortcut is a normally folder
• Removal => Example of folder name
5. NgrBot.bat
One of companion that use to execute and add a special parameter to NgrBot.exe.A
6. NgrBot.exe.A.
Companion of NgeBot that execute by NgrBot.bat in same path that is folder temporary (temp)
7. NgrBot.dat
Companion that in all off this malware just content off random characters that normally in system32 folder or Documents and Settings folder
8. NgrBot.exe.B. NgrBot.exe.B. always in User Profile and also make a value in registry with name –“u” so it can launch at startup
9. NgrBot.inf
Same with other malware that used Autorun.inf to launch their malware, without exception NgrBot. They make Autorun.inf too, and it always added a random character.
10. NgrBot.mem
Threads that are in memory and can not be detected by ordinary detection technique because it is a thread that is hidden by a rootkit techniques, also using hooking techniques while monitoring user activity and continue to spread the companion every time removable disks connected to the computer.
And this is some tricks to prevent from this malware
Click for Prevent :
1. Don't click any links that we don't know what is that from chat
2. Tell to friends if they're send a link in chat
3. Update antivirus
4. Always use HTTPS
5. Sign out after use from any website that required login
But if you had infected by this malware you can download PCMAV Express for NgrBot from Here.
20181025 junda
ReplyDeleteugg outlet
yeezy boost
hawks jerseys
canada goose outlet
clarks shoes
canada goose outlet
real madrid jersey
prada shoes
red bottom shoes
polo ralph lauren