Encyclopedia

Panda Internet Security 2010

Panda Internet Security 2010

Full protectión for complete peace of mind on the Internet.

* Includes 3 months' services FREE

Nabload.U

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Nabload.U carries out the following actions:

  • It attempts to download the file COCO2006.JPEG from the following websites:
    http://hometown<blocked>.au/modnatal.
    http://hometown<blocked>.au/arqarq.
    This file, which is in fact an INI file, contains several configuration options:
    - Addresses of the SMTP servers it uses to send emails.
    - Messages to be sent via MSN Messenger.
    - Email addresses where to send the data it has gathered.
    The file has the following format:

    [VERSAO]
    2
    (a digit that indicates the version number of the Trojan)

    [MODULO]
    http://hometown    <blocked>.au/modnatal/mdv2_coco.jpg
    http://hometown    <blocked>.au/modnatal/mdv2_coco.jpg
    (files to be downloaded by the Trojan)

    [SMTP]
    smtp.sao.terra.com.br
    smtp.sao.terra.com.br
    (addresses of several SMTP servers used to send emails)

    [CONTAS]
    1:ademirco@    <blocked>.com.br:10203040
    2:ademirco@<blocked>.com.br:10203040
    (spoofed contact addresses used by the Trojan when sending instant messages)

    [DESTINO]
    coco968@    <blocked>.com
    (email address to which the gathered information is sent)

    [EMAILS_CONTATOS]
    depredador    <blocked>.net
    (contact addresses it gathers in the affected computer)

    [MensagemMSN]
    ve esa vaina http://hometown    <blocked>.au/miralafoto/foto.exe
    (message sent via MSN Messenger)

    [END]
  • It attempts to access the URLs under the section [MODULO] in order to download a password stealer type Trojan, called Banker.BSX, to the affected computer.
    Banker.BSX captures the actions carried out by the user in several websites, including the login and password typed by virtual keyboards and sends the data it has gathered to a certain email address.

Infection strategy 

Nabload.U creates the following files in the subfolder SERVICE of the Windows system directory:

  • NAVUPDT.EXE, which is a copy of the Trojan.
  • SERVICE.DLL, which is not a DLL, but an INI file that contains information about the configuration of the Trojan: email address to which send the gathered data, website from which the Trojan is downloaded, messages to be sent via MSN Messenger, etc
  • SERVICES.EXE, which is a copy of Banker.BSX.

Means of transmission 

Nabload.U is distributed via MSN Messenger:

  • When a computer is affected by Banker.BSX, it sends an instant message to all the addresses in the Contact List. The message includes a link:

    ve esa vaina
    http://hometown.    <blocked>miralafoto/foto.exe

  • If the link is clicked, Nabload.U is downloaded to the affected computer.

Further Details  

Nabload.U is written in the programming language Delphi 5. This Trojan is 40,921 bytes in size when it is compressed with Petite, and 83,573 bytes once it is decompressed.

Last updated:  13/07/2006 

Virus News

Help your friends against viruses: share, save and subscribe to our security content. Thank you.

Share/Bookmark

Fake virus alert spreads massively across Facebook, reports PandaLabs

Panda Security, leading Spanish software vendor in the 2009 Truffle 100 Europe i...

PandaLabs Annual Malware Report: 2009 sets new records for malware creation: 25 ...

[+ Noticias]