You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Nabload.DSB

Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Nabload.DSB carries out the following actions:

  • The main file is a self-extracting RAR file, which contains the following files:
    - OUCAMULHER.BAT
    - MULHERESNOTRANSITO.PPS
    - OTIMIZED.EXE
  • By running certain commands, these files are extracted in a certain path of the system.
  • The file OUCAMULHER.BAT run the other two files. Besides, it searches in the path C:\Arquivos de programas (directory created in the OS in Portuguese) if certain antivirus program is installed. If so, it renames the update files, so that the antivirus cannot be updated.
  • The file MULHERESNOTRANSITO.PPS belongs to the PowerPoint presentation, which is opened when users run the main file, in order to distract them while the Trojan carries out the other actions.
  • The following image belongs to a slideshow of the presentation:

    One of the slideshows of the presentation
  • The file OTIMIZED.EXE connects with the website http://www.empreuzz.com/etiquetas and downloads the files: BORDADOS.CDC, COUROS.CDC and METAL.CDC.
  • These files are saved with other names in the system and are designed to steal confidential information from users.
  • In order to do so, it installs an Internet Explorer browser which replaces the one installed in the affected system, so that this application monitors the websites accessed by users.
  • If for example users access the website of a banking entity, the Trojan will log all the information entered in them.
  • Additionally, it installs a keylogger which logs the keystrokes typed by the uers and stores the information in a file.
  • It checks if it can connect with several mail servers and sends a message with an identifier of the computers it has infected.

Infection strategy 

Nabload.DSB creates the following files in the folder config of the Windows system directory:

  • MULHERESNOTRANSITO.PPS, which belongs to the PowerPoint presentation it displays in order to deceive users.
  • OTIMIZED.EXE. This file connects with a certain website from which the other components of the Trojan are downloaded.
  • OUCAMULHER.BAT, which checks if certain antivirus program is installed in the computer. And if so, it renames the update files, so that the antivirus cannot be updated.

On the other hand, Nabload.DSB creates these files in the Windows system directory:

  • IEXPLUPD.EXE
  • MSGRUPD.EXE
  • SYNNGLP.EXE
  • MEGASPDR.LOG, in which it stores the information collected by the keylogger.

These files steal confidential information from the user and send it to its author.

In order to go unnoticed, they have the following icons:

Icons of the files

 

Nabload.DSB creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    IExplUpd = %sysdir%\ IExplUpd.exe

    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    SynNglp = %sysdir%\SynNglp.exe

    By creating these entries, Nabload.DSB ensures that it is run whenever Windows is started.
  • HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ User Agent
  • HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ User Agent\ Post Platform
  • HKEY_USERS\ S-1-5-21-842925246-1425521274-308236825-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ User Agent\ Post Platform
    Embedded Web Browser from: http://bs
    sa.com/
    By creating these entries, it installs an Internet Explorer browser which replaces the one installed in the computer, in order to monitor users browsing.

Means of transmission 

Nabload.DSB reaches the computer passing itself off as a PowerPoint presentation in a file with the following appearance:

File in which Nabload.DSB reaches the computer

This file can be received via email messages, social networks or instant messaging programs, among others.

The following is an example of message in which it is distributed:

Message in which Nabload.DSB is distributed

Further Details  

Nabload.DSB is 276,550 bytes in size.