Ngrbot steals information and mines Bitcoins (Nov 18, 2011)


SonicWALL UTM Research team discovered Ngrbot spreading in the wild. The bot steals user information and spreads though malicious links, removable drives, instant messengers and social networks. After initial infection, it downloads additional modules including a Bitcoin mining module. Bitcoin is a form of digital currency and one way of obtaining them is by mining. Mining for Bitcoins is a very computationally expensive process involving lots of hashing, making it time consuming and impractical to mine on a personal computer. The creators of this botnet have found a lucrative alternative to generating Bitcoins by leveraging the CPU cycles of infected machines.

Ngrbot uses misleading filenames with explicit icons as shown below:


It performs the following activities:

  • It determines geoip details by sending a request to
  • It contacts a remote C&C server to report infection and receive additional commands.
  • It downloads additional modules from a remote file hosting server.
  • It drops the following files:
    • %AppData%9.exe [Detected as Injector.KSW_2 (Trojan) ]
    • %AppData%A.exe (Corrupted file)
    • %AppData%kakao3fuckHDZSDP.exe [Detected as Ngrbot.GEN_3 (Worm) ]
    • %AppData%kakao3 new.exe [Detected as BtcMiner (Trojan) ]
    • %AppData%Xkagad.exe (Copy of itself) [Detected as Ngrbot.GEN_3 (Worm) ]
    • Start MenuProgramsStartup newmoon17.exe [Detected as Injector.KSW_3 (Trojan) ]
  • It ensures persistence of infection across reboots:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:Xkagad:”%AppData%Xkagad.exe”
    • Creates startup file in Start MenuProgramsStartup newmoon17.exe
  • It has the following information stealing modules:
    • popgrab
    • ftpgrab
    • ffgrab
    • iegrab
  • It has the ability to perform DOS(Denial of Service) attacks.
  • It blocks access to various antivirus and security websites by intercepting DNS.
  • It uses form grabbers to steal credentials from the following URL’s:

  • It has the ability to spread through MSN messenger and removable drives. It also has the ability to post to Bebo, Friendster, Vkontakte, Twitter and Facebook.
  • It attempts to load “nvcuda.dll”(Nvidia CUDA) if present to mine Bitcoins on the GPU(Graphic Processing Unit).
  • It kills all previous Bitcoin mining infections:

  • It mines for Bitcoins at 59 second intervals by executing the following command:
      mine.exe -a 59 -o http://{removed}.org:8332/ -u darksons_crypt -p pt

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Ngrbot.GEN (Worm)
  • GAV: Ngrbot.GEN_3 (Worm)


This threat is also classified as “Dorkbot.A (Worm)” by some vendors.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.