Win32/Pushbot is detection for a family of malware that spreads via MSN Messenger, Yahoo Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
When executed, Win32/Pushbot copies itself as an executable to the %windir% directory and sets the attributes of this file to read-only, hidden and system. It then modifies the registry to ensure that this copy is executed at each Windows start (such as in this example for Worm:Win32/Pushbot.IG):
Adds value: "Messenger Service"
With data: "service.exe"
To all keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Some variants also add similar registry values to the following keys:
It then launches the new copy of itself, and deletes the original.
It creates a mutex, which may differ for each variant (for example, "WindowsUpdateID39512") in order to ensure that multiple copies of the worm do not run simultaneously.
Win32/Pushbot variants may attempt to disguise themselves as picture or video files. As a result, they may be packaged with clean video player software updates, or display message boxes such as the following, with the title "Windows Microsoft Viewer" containing the text "Picture can not be displayed.":
Using backdoor functionality (see Payload section below for additional detail) Win32/Pushbot can be ordered to spread via MSN Messenger by a remote attacker. It sends a message to all of the infected user's contacts. Some variants may also spread using other instant messaging programs, such as AIM or Yahoo Messenger.
The worm can be ordered to send messages, which can contain URLs pointing to a remotely hosted copy of itself. The message may be provided by the controller via the IRC backdoor. Some variants instead may attach a zipped copy of themselves to the message and/or randomly choose messages from a provided list. As an example, some variants use the following messages:
WoW? is that really you... what the hell where you drinking :D
LOL, you look so ugly in this picture, no joke…
Should I put this on facebook/myspace?
Hey m8, who is this on the right, in this picture…
Sup, seen the pictures from the other night?
Recent variants of Win32/Pushbot may also be able to spread by utilizing Skype (an instant messaging application that allows users to send voice over the Internet). These Pushbot variants send keyboard and mouse events to Skype in order to open a message window to each of the user's contacts, paste in a message with a URL (presumably to a copy of Pushbot being hosted remotely), and then send the message.
Some variants of Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys). They place themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
Peer to Peer Networking
Some variants may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following:
Windows Live Password reveal.exe
KEY-GEN Adobe PhotoShop CS3.exe
KEY-GEN Kaspersky 2009.exe
KEY-GEN ESET NOD32 3.0.650.exe
KEY-GEN Ahead Nero 8 Ultra Edition.exe
Microsoft Office 2007.exe
Kaspersky 7.0 all versions.exe
windows xp genuine keygen.exe
windows xp activation hack 2008.exe
windows xp activation hack 2007.exe
Directories used may include:
%ProgramFiles%\Ares\My Shared Folder\
%ProgramFiles%\Direct Connect\Received Files\
%ProgramFiles%\KMD\My Shared Folder\
%ProgramFiles%\WinMX\My Shared Folder\
%ProgramFiles%\Morpheus\My Shared Folder\
%ProgramFiles%\Kazaa Lite\My Shared Folder\
%ProgramFiles%\Kazaa\My Shared Folder\
\My Shared Folder\
Once installed, the worm connects to an IRC server (for example, ‘services.msnservers.net’) on a specified TCP port and awaits instructions. Using the backdoor, a remote attacker can perform a number of actions on the affected machine, including the following:
Spread via instant messaging
Halt the instant messaging spreading
Download and execute arbitrary files
Some variants may also be able to perform one or more of the following additional activities:
Spread via removable drives
Spread via peer to peer networking
Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings.
Participate in Distributed Denial of Service attacks
Add extra instant messaging contacts
Send other messages to the user’s contacts
Redirect banking sites to a specified location (see Modifies Hosts File below)
Retrieve data from Windows Protected Storage
. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger.
Connect to web sites without downloading files
Return various spreading and uptime statistics
Modifies System Settings
Some variants attempt to make additional system changes by modifying the registry, the hosts file, or by stopping services. For example, the worm may attempt to disable Task Manager by making the following registry modification:
Adds value: "DisableTaskMgr "
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
It may also attempt to disable several programs by making the changes below:
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun
Adds value: "msncleaner.exe"
With data: “1”
Adds value: "avp.exe"
With data: “2”
Adds value: "kav.esp"
With data: “3”
Adds value: "kav.eng"
With data: “4”
Adds value: "msconfig.exe"
With data: “5”
Other variants attempt to stop the following services:
Some variants attempt to terminate processes, such as the following:
Modifies Hosts File
Some variants attempt to prevent the user from visiting security related sites by appending entries to the file at <system folder>\drivers\etc\hosts. For example, one variant was observed to use the following:
Other variants may attempt to redirect visitors to various banking sites to a location specified by the backdoor’s controller. These sites may include one or more of the following groups:
The backdoor’s controller may also be able to specify other sites to redirect.
Analysis by David Wood and Hamish O'Dea