Nabload.DSA uses social engineering techniques in order to be distributed and make users fall into the trap. In this case, the message in which it reaches the computer makes reference to the murder of a woman in Brazil, Eliza Samudio, which took place in July 2010.
Additionally, Nabload.DSA download to the computer a banker Trojan, designed to steals users' confidential information related to certain Brazilian banking entities.
In order to do so, when users try to access the website of the affected banks, they are redirected to others that could be malicious and that could allow its author to obtain the passwords to access the banks.
Nabload.DSA creates the following files:
- CTTFMON.EXE and BIOS_SETUP1193.TXT, in the Windows system directory.
- LOGCPU.EXE and LOGCPU.DAT, in the Windows directory.
- WAKELUAN3.EXE, TIMSEC.BAT and VIVOSPAWARE.BAT, in the root directory of the C: drive.
Nabload.DSA modifies the HOSTS file, in such a way that when users access certain websites, mostly related to Brazilian banking entities, they are redirected to others that could be malicious.
Nabload.DSA creates the following entries in the Windows Registry:
ToolCar = %sysdir%\cttfmon.exe
where %sysdir% is the Windows system directory.
By creating this entry, Nabload.DSA ensures that it is run whenever Windows is started.
%sysdir%\cttfmon.exe = cttfmon
Means of transmission
Nabload.DSA reaches the computer in an email message in Portuguese inviting users to watch a video. The message is like the following:
The message has the following characteristics:
- Subject: Menor tirou fotos e filmou o desespero de eliza samudio antes da morte
It makes reference to an event that took place in Brazil in July 2010 in which a woman, Eliza Samudio, was killed.
- Message: it contains a link that points to a video related with this woman's death.
- If users follow this link, which does not point to any video, a file belonging to Nabload.DSA is downloaded to the computer:
Nabload.DSA is 230,400 bytes in size.>