On an infected computer, this malware displays messages that resemble the following ones:
Then the bot begins to receive commands from the command-and-control IRC server, such as to start a DDoS attack.
These malicious programs can block connections to the servers of anti-virus companies, steal user passwords for various legitimate websites, and intercept messages sent by the user on social networks.
The worm spreads via messages on social networks and Skype, as well as external drives connected to a computer.
Geographical distribution of attacks by the Worm.Win32.Ngrbot family
Geographical distribution of attacks during the period from 27 September 2014 to 27 September 2015
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky users worldwide who were attacked by this malware