Worm:Win32/Pushbot.gen!C is a generic detection for worms that may spread via MSN Messenger and/or AOL Instant Messenger. It also contains backdoor functionality that allows unauthorized access to an affected system.
Installation
When executed, Worm:Win32/Pushbot.gen!C copies itself to the Windows folder using different file names, such as the following:
It sets the attributes for this copy to read only, hidden, and system. It also modifies the registry to run this copy at each Windows start, for example:
Adds value: "MSN"
With data: "%windir%\svch0st.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "MicrosoftCorp"
With data: "%windir%\svch0st.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
It then launches its copy, and deletes its originally-running file.
Spreads Via...
MSN Messenger and/or AOL Instant Messenger
This worm may be ordered to spread via MSN Messenger or AOL Instant Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional details). It can be ordered to send instant messages with a zipped copy of itself attached, or it can be ordered to send instant messages that contain URLs pointing to a remotely-hosted copy of itself. It sends a message to all of the user's contacts.
The file name of the ZIP archive, the URL of the remote copy, and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as image files.
Removable Drives
Some variants of Worm:Win32/Pushbot!C may also spread by copying themselves to removable drives (other than A: or B:, such as USB flash drives). They place themselves in different folders, such as '\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213' or '\ice\fire' folder, along with a file named 'Desktop.ini' on the root of the drive, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place a file named 'autorun.inf' in the root of the drive, which indicates that the copied file should be run when the drive is attached and Autorun is enabled.
Payload
Allows backdoor access and control
Worm:Win32/Pushbot.gen!C attempts to connect to IRC servers via different TCP ports, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected system:
- Spread via MSN Messenger or AOL Instant Messenger
- Halt spreading
- Update itself
- Remove itself
- Download and execute arbitrary files
Some of the IRC servers it has been known to connect to are:
- queweysoy.sin-ip.es
- 120.power-hackers.com
Some variants of Worm:Win32/Pushbot.gen!C may also be able to perform one or more of the following additional activities via its backdoor functionality:
- Participate in Distributed Denial of Service (DDoS) attacks
- Retrieve data from Windows Protected Storage, which may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger
- Attempt to terminate particular processes by file name
Analysis by Elda Dimakiling