Follow:

 

Win32/Pushbot


Win32/Pushbot is detection for a family of malware that spreads via MSN Messenger, Yahoo Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Win32/Pushbot is detection for a family of malware that spreads via MSN Messenger, Yahoo Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
Installation
When executed, Win32/Pushbot copies itself as an executable to the %windir% directory and sets the attributes of this file to read-only, hidden and system. It then modifies the registry to ensure that this copy is executed at each Windows start (such as in this example for Worm:Win32/Pushbot.IG):
 
Adds value: "Messenger Service"
With data: "service.exe"
To all keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 
Some variants also add similar registry values to the following keys:
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
 
It then launches the new copy of itself, and deletes the original.
 
It creates a mutex, which may differ for each variant (for example, "WindowsUpdateID39512") in order to ensure that multiple copies of the worm do not run simultaneously.
 
Win32/Pushbot variants may attempt to disguise themselves as picture or video files. As a result, they may be packaged with clean video player software updates, or display message boxes such as the following, with the title "Windows Microsoft Viewer" containing the text "Picture can not be displayed.":
 
Spreads Via…
Instant messaging
Using backdoor functionality (see Payload section below for additional detail) Win32/Pushbot can be ordered to spread via MSN Messenger by a remote attacker. It sends a message to all of the infected user's contacts. Some variants may also spread using other instant messaging programs, such as AIM or Yahoo Messenger.
 
The worm can be ordered to send messages, which can contain URLs pointing to a remotely hosted copy of itself. The message may be provided by the controller via the IRC backdoor.  Some variants instead may attach a zipped copy of themselves to the message and/or randomly choose messages from a provided list. As an example, some variants use the following messages:
 
  • WoW? is that really you... what the hell where you drinking :D
  • LOL, you look so ugly in this picture, no joke…
  • Should I put this on facebook/myspace?
  • Hey m8, who is this on the right, in this picture…
  • Sup, seen the pictures from the other night?
 
Skype
Recent variants of Win32/Pushbot may also be able to spread by utilizing Skype (an instant messaging application that allows users to send voice over the Internet). These Pushbot variants send keyboard and mouse events to Skype in order to open a message window to each of the user's contacts, paste in a message with a URL (presumably to a copy of Pushbot being hosted remotely), and then send the message.
 
Removable Drives
Some variants of Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys). They place themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
 
Peer to Peer Networking
Some variants may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following:
 
Windows Live Password reveal.exe
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
eMule-0-48a-VeryCD080902-Update.exe
MsnCleaner.exe
KEY-GEN Adobe PhotoShop CS3.exe
KEY-GEN Kaspersky 2009.exe
KEY-GEN ESET NOD32 3.0.650.exe
KEY-GEN Ahead Nero 8 Ultra Edition.exe
Microsoft Office 2007.exe
Kaspersky 7.0 all versions.exe
windows xp genuine keygen.exe
windows xp activation hack 2008.exe
windows xp activation hack 2007.exe
 
Directories used may include:
 
%ProgramFiles%\Ares\My Shared Folder\
%ProgramFiles%\Direct Connect\Received Files\
%ProgramFiles%\KMD\My Shared Folder\
%ProgramFiles%\Rapigator\Share\
%ProgramFiles%\XoloX\Downloads\
%ProgramFiles%\Tesla\Files\
%ProgramFiles%\WinMX\My Shared Folder\
%ProgramFiles%\Swaptor\Download\
%ProgramFiles%\Overnet\incoming\
%ProgramFiles%\LimeWire\Shared\
%ProgramFiles%\appleJuice\incoming\
%ProgramFiles%\Filetopia3\Files\
%ProgramFiles%\ICQ\shared files\
%ProgramFiles%\Shareaza\Downloads\
%ProgramFiles%\BearShare\Shared\
%ProgramFiles%\eMule\Incoming\
%ProgramFiles%\Gnucleus\Downloads\
%ProgramFiles%\EDONKEY2000\incoming\
%ProgramFiles%\Morpheus\My Shared Folder\
%ProgramFiles%\Grokster\My Grokster\
%ProgramFiles%\Kazaa Lite\My Shared Folder\
%ProgramFiles%\Kazaa\My Shared Folder\
\My Shared Folder\
 
Payload
Backdoor Functionality
Once installed, the worm connects to an IRC server (for example, ‘services.msnservers.net’) on a specified TCP port and awaits instructions. Using the backdoor, a remote attacker can perform a number of actions on the affected machine, including the following:
  • Spread via instant messaging
  • Halt the instant messaging spreading
  • Update itself
  • Remove itself
  • Download and execute arbitrary files
Some variants may also be able to perform one or more of the following additional activities:
  • Spread via removable drives
  • Spread via peer to peer networking
  • Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings.
  • Participate in Distributed Denial of Service attacks
  • Add extra instant messaging  contacts
  • Send other messages to the user’s contacts
  • Redirect banking sites to a specified location (see Modifies Hosts File below)
  • Retrieve data from Windows Protected Storage. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger.
  • Connect to web sites without downloading files
  • Return various spreading and uptime statistics
 
Modifies System Settings
Some variants attempt to make additional system changes by modifying the registry, the hosts file, or by stopping services. For example, the worm may attempt to disable Task Manager by making the following registry modification:
Adds value: "DisableTaskMgr "
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
 
It may also attempt to disable several programs by making the changes below:
 
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun
Adds value: "msncleaner.exe"
With data: “1”
Adds value: "avp.exe"
With data: “2”
Adds value: "kav.esp"
With data: “3”
Adds value: "kav.eng"
With data: “4”
Adds value: "msconfig.exe"
With data: “5”
 
Stops Services
Other variants attempt to stop the following services:
Security Center
Winvnc4
 
Terminates Processes
Some variants attempt to terminate processes, such as the following:
kav.exe
sndsrvc.exe
taskman.exe
mrt.exe
ethereal.exe
wpe pro.exe
hijackthis.exe
isafe.exe
vsmon.exe
outpost.exe
smc.exe
SpybotSD.exe
mcshield.exe
kavsvc.exe
rstrui.exe
MSNCleaner.exe
mbam-setup.exe
SDFix.exe
 
Modifies Hosts File
Some variants attempt to prevent the user from visiting security related sites by appending entries to the file at <system folder>\drivers\etc\hosts. For example, one variant was observed to use the following:
 
82.165.237.14
82.165.250.33
avp.com
ca.com
casablanca.cz
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
d66.myleftnut.info
dispatch.mcafee.com
download.mcafee.com
downloads-us1.kaspersky.com
downloads1.kaspersky.com
downloads1.kaspersky.ru
downloads2.kaspersky.com
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
ebay.com
eset.casablanca.cz
eset.com
f-secure.com
ftp.downloads1.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
grisoft.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
metalhead2005.info
microsoft.com
moneybookers.com
my-etrust.com
nai.com
networkassociates.com
nod32.com
norton.com
pandasoftware.com
paypal.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
u2.eset.com
u3.eset.com
u4.eset.com
u7.eset.com
update.symantec.com
updates-us1.kaspersky.com
updates.symantec.com
updates1.kaspersky-labs.com
updates1.kaspersky.com
updates2.kaspersky-labs.com
updates2.kaspersky.com
updates3.kaspersky-labs.com
updates3.kaspersky.com
us.mcafee.com
viruslist.com
virustotal.com
www.amazon.ca
www.amazon.co.uk
www.amazon.com
www.amazon.fr
www.avp.com
www.ca.com
www.ebay.com
www.eset.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.moneybookers.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.nod32.com
www.norton.com
www.pandasoftware.com
www.paypal.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.virustotal.com
Other variants may attempt to redirect visitors to various banking sites to a location specified by the backdoor’s controller. These sites may include one or more of the following groups:
 
  • santander.com.mx
    www.santander.com.mx
    www.santander-serfin.com
    santander-serfin.com 
 
  • www.hsbc.com.mx
    hsbc.com.mx 
    conexion.bital.com.mx
 
  • www.bancoazteca.com.mx
    bancoazteca.com.mx
    www.bancoazteca.com
    bancoazteca.com 
 
  • www.banorte.com
    banorte.com
 
  • www.bancomer.com.mx
    www.bancomer.com
    bancomer.com
    bancomer.com.mx
 
  • inverweb1.scotiabankinverlat.com
    inverweb2.scotiabankinverlat.com
    inverweb3.scotiabankinverlat.com
    www.scotiabank.com.mx
    scotiabank.com.mx
    www.inverlat.com
    inverlart.com
    www.inverlat.com.mx
    inverlat.com.mx
    www.scotiabankinverlat.com
    scotiabankinverlat.com
    www.scotiabankinverlat.com.mx
    scotiabankinverlat.com.mx
    www.see.sbi.com.mx
    see.sbi.com.mx
 
  • banamex.com.mx
    www.banamex.com.mx
    banamex.com
    www.banamex.com
    www.bancanetempresarial.banamex.com.mx
    bancanetempresarial.banamex.com.mx
    boveda.banamex.com.mx
    boveda.banamex.com
 
The backdoor’s controller may also be able to specify other sites to redirect.
 
Analysis by David Wood and Hamish O'Dea

Symptoms

System Changes
Symptoms may change among variants of the Worm:Win32/Pushbot family - an example of system changes made by Worm:Win32/Pushbot.BD are shown below:
  • Presence of the following file: %windir%\svchost.exe
  • Presence of the following registry modification:
    Adds value: "Windows Internet Manager"
    With data: "svchost.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Alert level: Severe
This entry was first published on: Jan 27, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Sdbot.worm.gen.ca (McAfee)
  • SDBot.gen8 (Norman)
  • W32.Palevo (Symantec)
  • P2P-Worm.Win32.Palevo (Kaspersky)