A Deeper Look at Win32/Inject.NBL

Late Monday, we received samples of a malware that spreads through instant messaging.  Detection was quickly added for this threat and David gave a nice summary of the events in a blog post.

When analyzing this binary, we found out that Win32/Inject.NBL has a couple of interesting characteristics.  First of all, we were able to identify the list of functionalities of this bot:

  • download
  • update
  • rm
  • msn.msg
  • msn.stop
  • aim.msg
  • aim.stop
  • triton.msg
  • triton.stop

In short, this malware can download new files, update itself and remove itself from an infected computer.  It can also spread through three different instant messaging programs: msn messenger, aim and triton.

On a more technical side, Inject.NBL is interesting because after unpacking itself into memory, the packer doesn’t jump to the program’s original entry point.  Instead of doing so, the packer starts a new instance of the executable and inject the unpacked code in the newly created process.  This technique is probably aimed at fooling analysis and emulators used in antivirus products.

For the last three days, the network of computers infected by Inject.NB is still instructed to spread through msn using the same string to convince users into clicking on a malicious link.  The command and control network uses the IRC protocol on a server that is currently located in Luxemburg.

 

Pierre-Marc Bureau

Researcher

Author Pierre-Marc Bureau, ESET

  • Prasid

    Really this is good information.Thanks lot!

  • T.K.

    This is very good information but I’ve yet to find a program that TRULY gets rid of the worm.

    They SAY that they have but my MSN IM continues to open all by itself with unauthorized “persons” communicating to me and scans for the worm indicate a “suspicious” file: (F-Secure 7.60.13501.0 2008.08.27 Suspicious:W32/Hidd.k!Gemini)

    How does one remove this from their computer?

    Thank You

  • http://www.smallblue-greenworld.co.uk David

    We can’t really do product support through this blog. If you go to http://www.eset.com/support, you’ll find a number of resources, and if none of those help, there’s also a form you can fill in to get a personal response.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
27 Aug 2008
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.