Beware of NgrBot malware; it can wipe out your hard disk!

Remember IrcBot? They could easily connect to Internet Relay Chat as a client, and fool other IRC users as being another user by performing automated functions. But here comes a new addition to this malware family, identified as NgrBot. NgrBot comes with the dangerous ability to destroy data on a user’s hard drive.


The research carried out the Security Research team of Fortinet mentions that this new version of the IrcBot carries new features that are much more harmful than before. It has the capability to join different Internet Relay Chat (IRC) channels to perform various attacks according to the IRC-based commands from the command-and-control (C&C) server.

Watch out for your hard drive

NgrBot can wipe out the hard drives of the compromised systems. The wiping happens as soon as there is any kind of failure in the decryption of its strings. When decrypting, NgrBot uses a string structure where the first dword is a pointer to an RC4-encrypted string; the second dword is the string length; and the third dword is the decrypted string’s CRC32 value.

The figure below shows how the overwritten hard disk sector looks like. Post wipe, the attacked system will hang and will be unable to boot.


As if wipe out was not enough, NgrBot also blocks access to antivirus related websites, ensuring that your system cannot avail any outside help. The Security Research blog at Fortinet mentions,

“To do this, the bot injects code into running processes and hooks the following APIs:

  • DnsQuery_A (from dnsapi.dll)
  • DnsQuery_W (from dnsapi.dll)
  • GetAddrInfoW (from ws2_32.dll)

When these APIs are called, the hooking functions check if the address to connect to contains strings that are in the bot’s blacklist”.

The researchers at Fortinet say that until now they have registered two commands received by NgrBot from its C&C server confirming malicious activity. However, expecting the activity to get intense in the near future, the researchers are keeping a track of new active commands from C&C server and maintain a watchful eye on NgrBot’s activity.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 5 =