Nabload.CW attempts to download and run other Trojan detected as Bancos.MO in the affected computer.
In order to do so, it follows the routine below:
- It reaches the computer in an executable file that passes itself off as a Windows Media Player file:
- When it is run, it displays a window that imitates the Windows Media Player one. But, it is actually an animated GIF:
- Then, it displays the following false error window, which says that it is necessary to download several components in order to see the video:
- If the user clicks on OK and there is an Internet connection available, Nabload.CW connects to the website http://www.bea<blocked>.co.kr/bbs/data/gg, in order to download Trj/Bancos.MO to the affected computer. Then, Nabload.CW runs it and ends its own execution.
If there is no connection to the Internet, Nabload.CW just ends its own execution.
- If the user runs the file VIDEO.EXE again, the following error message is displayed on the screen:
Nabload.CW creates the following files:
- FFYT66555.KO, in the Windows system directory. This file is 0 bytes in size, and Nabload.CW uses it in order to know if it had previously affected the computer.
- SVCHOST.EXE, in the Internet temporary files directory. This file belongs to Trj/Bancos.MO.
Nabload.CW creates the following path in the Windows Registry:
Means of transmission
Nabload.CW does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
It has been detected that Nabload.CW reaches the computer in a file with the Windows Media Player icon that usually has the following file name: VIDEO.EXE.
Nabload.CW is written in the programming language Visual Basic v5. This Trojan is 81,920 bytes in size when compressed with UPX and 562,025 bytes once decompressed.>