x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Nabload.CW

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Nabload.CW attempts to download and run other Trojan detected as Bancos.MO in the affected computer.

In order to do so, it follows the routine below:

  • It reaches the computer in an executable file that passes itself off as a Windows Media Player file:
  • When it is run, it displays a window that imitates the Windows Media Player one. But, it is actually an animated GIF:

  • Then, it displays the following false error window, which says that it is necessary to download several components in order to see the video:

  • If the user clicks on OK and there is an Internet connection available, Nabload.CW connects to the website http://www.bea<blocked>.co.kr/bbs/data/gg, in order to download Trj/Bancos.MO to the affected computer. Then, Nabload.CW runs it and ends its own execution.
    If there is no connection to the Internet, Nabload.CW just ends its own execution.
  • If the user runs the file VIDEO[1].EXE again, the following error message is displayed on the screen:

Infection strategy 

Nabload.CW creates the following files:

  • FFYT66555.KO, in the Windows system directory. This file is 0 bytes in size, and Nabload.CW uses it in order to know if it had previously affected the computer.
  • SVCHOST.EXE, in the Internet temporary files directory. This file belongs to Trj/Bancos.MO.

 

Nabload.CW creates the following path in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

Means of transmission 

Nabload.CW does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

It has been detected that Nabload.CW reaches the computer in a file with the Windows Media Player icon that usually has the following file name: VIDEO[1].EXE.

Further Details  

Nabload.CW is written in the programming language Visual Basic v5. This Trojan is 81,920 bytes in size when compressed with UPX and 562,025 bytes once decompressed.

>

ARE YOU FACING ANY PC OR INTERNET RELATED PROBLEMS?
FREE SUPPORT INCLUDED. CALL US 24/7

powered by Anytech365