Worm:Win32/Pushbot.MF is a worm that may spread via MSN Messenger and/or AIM. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
When executed, Worm:Win32/Pushbot.MF copies itself to "%windir%\msnsmsgrs.exe " and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start:
Adds value: "Windows UDP Control Center"
With data: "msnsmsgrs.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "wextract_cleanup0"
With data: "rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\admini~1\locals~1\temp\ixp000.tmp\""
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
It then launches the new copy of itself, and deletes the original.
Worm:Win32/Pushbot may attempt to disguise itself as a picture or video file. As a result, it may be packaged with clean video player software updates, or display message boxes such as the following:
Worm:Win32/Pushbot.MF may also create the following file/s on an affected machine:
MSN Messenger and/or AIM
This worm may be ordered to spread via Messenger or AIM by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts.
The filename of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as images.
Some variants of Worm:Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys). They place themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
Peer to Peer Networking
Some variants may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following:
Windows Live Password reveal.exe
KEY-GEN Adobe PhotoShop CS3.exe
KEY-GEN Kaspersky 2009.exe
KEY-GEN ESET NOD32 3.0.650.exe
KEY-GEN Ahead Nero 8 Ultra Edition.exe
Microsoft Office 2007.exe
Kaspersky 7.0 all versions.exe
windows xp genuine keygen.exe
windows xp activation hack 2008.exe
windows xp activation hack 2007.exe
Directories used may include:
%ProgramFiles%\Ares\My Shared Folder\
%ProgramFiles%\Direct Connect\Received Files\
%ProgramFiles%\KMD\My Shared Folder\
%ProgramFiles%\WinMX\My Shared Folder\
%ProgramFiles%\Morpheus\My Shared Folder\
%ProgramFiles%\Kazaa Lite\My Shared Folder\
%ProgramFiles%\Kazaa\My Shared Folder\
\My Shared Folder\
Some variants have the ability to spread by exploiting various vulnerabilities in targeted machines upon being commanded to do so by a remote attacker.
Backdoor Functionality: Port 4244
Pushbot.MF attempts to connect to an IRC server at ngiga.zbv2dns.com.es via TCP port
4244, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
- Spread via MSN Messenger or AIM
- Download and execute arbitrary files
Pushbot.MF may also be able to perform one or more of the following additional activities:
- Spread via removable drives
- Spread via peer to peer networking
- Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings.
- Participate in Distributed Denial of Service attacks
- Add extra instant messaging contacts
- Send other messages to the user’s contacts
- Redirect banking sites to a specified location
- Retrieve data from Windows Protected Storage. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger.
- Connect to web sites without downloading files
- Return various spreading and uptime statistics
- Attempt to terminate particular processes by filename
- Perform packet sniffing on the affected system, with the intent to intercept login attempts, IRC activity and visits to possibly sensitive websites, such as PayPal.
Pushbot may also attempt to disable the following programs by making further modifications to the registry:
Analysis by David Wood