You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Nabload.DSA

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Nabload.DSA uses social engineering techniques in order to be distributed and make users fall into the trap. In this case, the message in which it reaches the computer makes reference to the murder of a woman in Brazil, Eliza Samudio, which took place in July 2010.

Additionally, Nabload.DSA download to the computer a banker Trojan, designed to steals users' confidential information related to certain Brazilian banking entities.

In order to do so, when users try to access the website of the affected banks, they are redirected to others that could be malicious and that could allow its author to obtain the passwords to access the banks.

Infection strategy 

Nabload.DSA creates the following files:

  • CTTFMON.EXE and BIOS_SETUP1193.TXT, in the Windows system directory.
  • LOGCPU.EXE and LOGCPU.DAT, in the Windows directory.
  • WAKELUAN3.EXE, TIMSEC.BAT and VIVOSPAWARE.BAT, in the root directory of the C: drive.

 

Nabload.DSA modifies the HOSTS file, in such a way that when users access certain websites, mostly related to Brazilian banking entities, they are redirected to others that could be malicious.

 

Nabload.DSA creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ToolCar = %sysdir%\cttfmon.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Nabload.DSA ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
    %sysdir%\cttfmon.exe = cttfmon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

Means of transmission 

Nabload.DSA reaches the computer in an email message in Portuguese inviting users to watch a video. The message is like the following:

Message in which Nabload.DSA reaches the computer

The message has the following characteristics:

  • Subject: Menor tirou fotos e filmou o desespero de eliza samudio antes da morte
    It makes reference to an event that took place in Brazil in July 2010 in which a woman, Eliza Samudio, was killed.
  • Message: it contains a link that points to a video related with this woman's death.
  • If users follow this link, which does not point to any video, a file belonging to Nabload.DSA is downloaded to the computer:

    File belonging to Nabload.DSA

Further Details  

Nabload.DSA is 230,400 bytes in size.

>