General explanation

Type: Worm

Degree of destruction: high

Prevalence: high

Names of the malware:

  • Worm.Win32.Dorkbot
  • Worm.Win32.Ngrbot
  • Worm.Ngrbot

What is the Worm?

Computer worms such as Ngrbot are types of malware that are capable of reproduction. For permanence, worms set ways to maintain the infection in each system boot. The prominent feature of worms is in their distribution which is generally perform through portable drives and shared directories in the network.

What is Ngrbot malware?

Ngrbot is malware that by injecting malicious code into the system processes and hooking APIs of those processes will steal information and hide from the sight of the user. This malware provides the control of the victim’s system to the attacker’s server, by IRC commands. The attacker’s server can take the control of the victim’s system for more purposes.

Ngrbot malware provides a proper basis for download and executes other malware; also proceeds to steal information and spying the victim’s system and does not allow the system to connect to security-based websites. This malware distributes through the network, portable drive, and emails.

Technical explanation

Sings of infection 

  • Mspaint.exe, Calc.exe processes running with no User Interface.
  • The following files and directories exist:
    • %User Profile%\Application Data\Update
    • %User Profile%\Application Data\WindowsUpdate
    • %User Profile%\Application Data\c731200
    • %User Profile%\Application Data\Update\Explorer.exe
    • %User Profile%\Application Data\Update\Update.exe
    • %User Profile%\Application Data\WindowsUpdate\Updater.exe
  • The following files and directories will be deleted:
    • [SystemRoot]:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    • %User Profile%\Start Menu\Programs\Startup\desktop.ini
    • [SystemRoot]:\RECYCLER
  • Creates the following registry keys:
    • …\Software\Microsoft\Windows\CurrentVersion\Run
      ValueName:Windows Update Installer
      Data: %User Profile%\Application Data\WindowsUpdate\Updater.exe
    • …\Software\Microsoft\Windows\CurrentVersion\Run
      ValueName: Windows Explorer Manager
      Data: %User Profile%\Application Data\update\explorer.exe
  • It downloads malware file sets of all different types and families of malware (Trojan-NetWorm-Backdoor, etc).

How to deal with it and disinfect the system

By UMP capability that is a part of behavioral protection, Padvish can prevent the system from infection through a portable drive. Therefore, to prevent infection to all types of malware that transfer through portable drives such as Ngrbot malware, it is recommended to install Padvish and prevent malware from entering and infecting the system.

If your system is infected by Ngrbot malware act as follows:

  1. Install Padvish on your system
  2. Connect the infected portable drive to your system
  3. Scan the portable drive using Padvish to disinfect both the system and portable drive.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>