NGRBot

NGRBot is a dangerous malware infection that is known for mimicking Skype in order to trick computer users into opening its malicious executable file. ESG security researchers observed that the NGRBot infection is being distributed in spam email messages that contain what is supposed to be a Skype link. This supposed link claims to lead the computer user to an image file. However, this link actually downloads a file named skype_09-10-12_image.exe. Of course, the EXE extension is not correspondent to an image file. Rather, this malicious executable installs NGRBot, also known as Dorgbot or Dorkbot. This particular variant of the NGRBot infection was first detected in October 6 of 2012. It contains the same functionality as previous Dorkbot variants except for an additional malicious module that allows this malware threat to abduct sensitive data such as credit card details or login credentials for numerous websites.

The NGRBot infection contains a specific module that allows this threat to steal private information such as login credentials for popular websites and online accounts. By analyzing NGRBot's code, ESG security researchers have observed that the NGRBot can steal the following private information:

1. The NGRBot malware infection has the ability to detect web traffic involving credit card transactions. It is designed to steal credit card data as well as online banking information. NGRBot then transfers this data to a third party which can then use these credit card numbers to steal the victim's identity.
2. NGRBot also contains a module that allows NGRBot to steal login information for popular webmail and social media services, such as Gmail, Facebook, Yahoo and Twitter.
3. However, the NGRBot infection can also steal login information for popular pornographic websites (such as YouPorn and Brazzers) or for some of the largest private torrent websites (such as WhatCD or Torrentleech). This login information is then sold on shady websites and IRC networks.
4. In fact, few websites are not included in NGRBot's list of potential theft targets. This malware infection will steal login credentials for websites ranging from eBay and PayPal to Godaddy and Netflix, among many others.

Like most Dorkbot variants, NGRBot spreads via Skype and instant messaging services. It will send out messages from an infected computer that will typically read 'hey, have you seen this pic?' followed by a malicious link to the NGRBot executable. These messages can be sent out in dozens of different languages, allowing NGRBot to attack computers all around the world.

SpyHunter Detects & Remove NGRBot