Nrgbot

by alexander.adamov on July 19th, 2013 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 126976 bytes
Packer: unknown
Unpacked size: 320 Kb
Language: C++
MD5: 85f087a291256829f418a3be3dd76ad8
SHA1: 112d92cdd5165af9c0d22f931e77f929b97395fa
Aliases: Dorkbot, Trojan.Win32.Generic!BT

Summary

Nrgbot is a Trojan-spy program designed to steal confidential data.

Technical Details

Installation

 Once activated, the worm copies itself to the current user's "Application Data" folder with a randomly generated name:

%Documents and Settings%\%Current User%\%AppData%\<rnd>.exe
%Documents and Settings%\%Current User%\%AppData%\<rnd>.scr

To be automatically launched upon each Windows startup, the worm adds a link to its executable file in the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd>" ="%Documents and Settings%\%Current User%\%AppData%\<rnd>.scr"

where <rnd> is a random letter sequence generated using a special algorithm depending on the volume serial number like "Xppipf".

To hide its executable file and system registry autorun key, the worm intercepts the following functions:

NtQueryDirectoryFile
NtEnumerateValueKey

To counteract deleting and moving its executable file, the worm intercepts the following functions:

DeleteFileA
DeleteFileW
MoveFileA
MoveFileW

Once successfully installed on the system, the worm deletes its original file.

Payload

The worm searches the system for the following process:

explorer.exe

and injects the malicious code into its address space. In its turn, the injected malicious code is then injected into all running processes, except

smss.exe
lsass.exe

To inject the malicious code into the address space of processes being run on the system, the worm installs an interceptor for the following function:

NtResumeThread

Using the injected malicious code, the worm can perform actions described below on the user’s PC.

The worm connects to the following IRC servers:

a.zabrouskics.com
a.tanikai.com
a.zabreefikk.com
waiknger.com
hedrmsad.com
shaimenal.com

To get the IP address of the infected system as well as the ZIP code, the worm then connects to the following server:

api.wipmania.com

The received information is then used when generating a name to connect to the server. Below is an example of communication between a bot and a server:

As a server response, the worm gets URL to update its original file as well as a command to reboot the PC.

To counteract the virus signatures, a polymorphic mutator is installed in the attacker’s server. Upon each update, the mutator re-encrypts the worm’s file:

When a description was created, the worm downloaded the new MD5 version: b379eb791038e522efda14a29c7d2bcd, the file is detected by Ad-Aware as Trojan.Win32.Generic!BT.

When a description was created, the worm received commands to download additional modules:

Downloaded files were saved under the following names:

%Documents and Settings%\%Current User%\%AppData%\2.exe

The file is 52744 bytes in size, MD5: e97359e03fce31965d6780ad002c5f0b was detected by Ad-Aware as Trojan.Win32.Generic!BT.

%Documents and Settings%\%Current User%\%AppData%\3.exe

The file is 15880 bytes in size, MD5: dd719d3980681679f1c27aa2a0d0d9b9 was detected by Ad-Aware as Trojan.Win32.Generic!BT.

%Documents and Settings%\%Current User%\%AppData%\4.exe

The file is 3788 bytes in size, MD5: 7dd9e178941cf93ea2f72c5d94ab58c1 was detected by Ad- Aware as Trojan.Win32.Generic!BT.

Once downloaded successfully, the files are launched for execution and installed on the system to the hidden "RECYCLER" folder with a randomly generated name:

C:\RECYCLER\S-1-5-21-02433556031-8888888379-781863308\<rnd2>.exe

The files are written to the autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd2>" = " C:\RECYCLER\S-1-5-21-02433556031-8888888379-781863308\<rnd2>.exe"

where <rnd2> is a random sequence of the Latin alphabet letters, for example "zaberg".

The worm runs a thread which controls the worm’s executable file integrity. If the worm detects its file modifications, it zeros-out the first 63 sectors of any hard drive including MBR (Master Boot Record), and prompts the following message:

The worm installs interceptors for the following functions:

send
GetAddrInfoW
HttpSendRequestA
HttpSendRequestW
InternetWriteFile
DnsQuery_A
DnsQuery_W
PR_Writ
URLDownloadToFileA
URLDownloadToFileW
CreateFileA
CreateFileW

The worm can control the traffic of the following system processes:

pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe

as well as steal user account data when working with the following services:

YouTube
AOL
BigString
Fastmail
Gmail
GMX
Live
Yahoo
Facebook
Hackforums
Steam
NoIP
DynDNS
Runescape
Moneybookers
Twitter
LogMeIn
OfficeBanking
eBay
Megaupload
Sendspace
Mediafire
Freakshare
Netload
4shared
Hotfile
Fileserve
Uploading
Uploaded
Speedyshare
Filesonic
Oron
Whatcd
Letitbit
Sms4file
Vip-file
Torrentleech
Thepiratebay
Netflix
Alertpay
Godaddy
Namecheap
Moniker
Enom
Dotster
Webnames
cPanel
WHM
WHCMS
Directadmin
Bcointernacional
Brazzers
YouPorn
IKnowThatGirl

FTP credentials are stolen as well.

The worm blocks possible browser exploit pack call on URL:

Inernet Explorer
Mozilla Firefox

and controls running the following processes on the system:

ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe

Once these processes are detected, the worm ends the lsass.exe process. It provokes the system restart and the following message appears:

It blocks access to the Internet resources which domain names contains the following strings:

webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.

At the attacker’s command, the worm can perform the UDP and SYN flood attacks and log the FTP and POP server activity, as well as block and redirect the web resource access.

Propagation

The worm registers a device notification with the help of RegisterDeviceNotification, so it is notified when a USB device is plugged; and it then starts infecting the system.

The worm copies itself to the USB device plugged into the affected computer with a randomly generated name. The "AutoRun.inf" file is added as well in the root folder of the infected computer. The worm’s copy launches the file for execution each time the user opens the infected USB drive by Windows Explorer. Those files are created as hidden. In addition, the worm copies itself with a random name (for example "2bc58ef0.exe") to the created "Recycler" folder. Its downloaded modules and the "Desktop.ini" file are stored in the folder as well. The "Desktop.ini" file has the following content:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

which allows to register the folder as Recycle Bin folder.

All folders of the drive’s root directory are marked as hidden. Link files referring to the worm’s body are created with the hidden folders’ names.

In addition, the worm is spread via social networks: Bebo, Vkontakte, Twitter, Facebook by replacing messages sent by the user and adding a link to the worm’s executable file.

The worm infects HTML pages on the compromised FTP servers by adding a hidden frame with a link to the worm’s body.

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).
  2. Delete files:
  3. %Documents and Settings%\%Current User%\%AppData%\<rnd>.exe
    %Documents and Settings%\%Current User%\%AppData%\<rnd>.scr
    %Documents and Settings%\%Current User%\%AppData%\2.exe
    %Documents and Settings%\%Current User%\%AppData%\3.exe
    %Documents and Settings%\%Current User%\%AppData%\4.exe
    C:\RECYCLER\S-1-5-21-02433556031-8888888379-781863308\<rnd2>.exe

  4. Delete parameters of the registry keys (How to Work with System Registry):
  5. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd>" ="%Documents and Settings%\%Current User%\%AppData%\<rnd>.scr"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd2>" = "C:\RECYCLER\S-1-5-21-02433556031-8888888379-781863308\<rnd2>.exe"

  6. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  7. Restart the PC.
  8. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  9. Change all usernames and passwords for the services being in use.