Follow:

 

Worm:Win32/Pushbot.MF


Worm:Win32/Pushbot.MF is a worm that may spread via MSN Messenger and/or AIM. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Worm:Win32/Pushbot.MF is a worm that may spread via MSN Messenger and/or AIM. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
When executed, Worm:Win32/Pushbot.MF copies itself to "%windir%\msnsmsgrs.exe " and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start:
 
Adds value: "Windows UDP Control Center"
With data: "msnsmsgrs.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "wextract_cleanup0"
With data: "rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\admini~1\locals~1\temp\ixp000.tmp\""
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
It then launches the new copy of itself, and deletes the original.
 
Worm:Win32/Pushbot may attempt to disguise itself as a picture or video file. As a result, it may be packaged with clean video player software updates, or display message boxes such as the following:
Worm:Win32/Pushbot.MF may also create the following file/s on an affected machine:
  • %windir%\msnsmsgrs.exe
  • c:\documents and settings\administrator\local settings\temp\ixp000.tmp\reptile.exe
Spreads Via…
MSN Messenger and/or AIM
This worm may be ordered to spread via Messenger or AIM by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail).  It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts.
 
The filename of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as images.
 
Removable Drives
Some variants of Worm:Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys). They place themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
 
Peer to Peer Networking
Some variants may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following:
 
Windows Live Password reveal.exe
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
eMule-0-48a-VeryCD080902-Update.exe
MsnCleaner.exe
KEY-GEN Adobe PhotoShop CS3.exe
KEY-GEN Kaspersky 2009.exe
KEY-GEN ESET NOD32 3.0.650.exe
KEY-GEN Ahead Nero 8 Ultra Edition.exe
Microsoft Office 2007.exe
Kaspersky 7.0 all versions.exe
windows xp genuine keygen.exe
windows xp activation hack 2008.exe
windows xp activation hack 2007.exe
 
Directories used may include:
 
%ProgramFiles%\Ares\My Shared Folder\
%ProgramFiles%\Direct Connect\Received Files\
%ProgramFiles%\KMD\My Shared Folder\
%ProgramFiles%\Rapigator\Share\
%ProgramFiles%\XoloX\Downloads\
%ProgramFiles%\Tesla\Files\
%ProgramFiles%\WinMX\My Shared Folder\
%ProgramFiles%\Swaptor\Download\
%ProgramFiles%\Overnet\incoming\
%ProgramFiles%\LimeWire\Shared\
%ProgramFiles%\appleJuice\incoming\
%ProgramFiles%\Filetopia3\Files\
%ProgramFiles%\ICQ\shared files\
%ProgramFiles%\Shareaza\Downloads\
%ProgramFiles%\BearShare\Shared\
%ProgramFiles%\eMule\Incoming\
%ProgramFiles%\Gnucleus\Downloads\
%ProgramFiles%\EDONKEY2000\incoming\
%ProgramFiles%\Morpheus\My Shared Folder\
%ProgramFiles%\Grokster\My Grokster\
%ProgramFiles%\Kazaa Lite\My Shared Folder\
%ProgramFiles%\Kazaa\My Shared Folder\
\My Shared Folder\
 
Exploit
Some variants have the ability to spread by exploiting various vulnerabilities in targeted machines upon being commanded to do so by a remote attacker.
Payload
Backdoor Functionality: Port 4244
Pushbot.MF attempts to connect to an IRC server at ngiga.zbv2dns.com.es  via TCP port 4244, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
  • Spread via MSN Messenger or AIM 
  • Halt spreading
  • Update itself
  • Remove itself
  • Download and execute arbitrary files
 
Pushbot.MF may also be able to perform one or more of the following additional activities:
  • Spread via removable drives
  • Spread via peer to peer networking
  • Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings.
  • Participate in Distributed Denial of Service attacks
  • Add extra instant messaging  contacts
  • Send other messages to the user’s contacts
  • Redirect banking sites to a specified location
  • Retrieve data from Windows Protected Storage. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger.
  • Connect to web sites without downloading files
  • Return various spreading and uptime statistics
  • Attempt to terminate particular processes by filename
  • Perform packet sniffing on the affected system, with the intent to intercept login attempts, IRC activity and visits to possibly sensitive websites, such as PayPal.
 
Pushbot may also attempt to disable the following programs by making further modifications to the registry:
msncleaner.exe
avp.exe
kav.esp
kav.eng
msconfig.exe
Additional Information
For more information, please see the Win32/Pushbot family description, elsewhere in our encyclopedia.
 
Analysis by David Wood

Symptoms

System Changes
The following system changes may be indicative of a Pushbot.MF infection:
  • Presence of the file/s:
    %windir%\msnsmsgrs.exe
    c:\documents and settings\administrator\local settings\temp\ixp000.tmp\reptile.exe
  • Presence of the following registry modifications:
    Adds value: "Windows UDP Control Center"
    With data: "msnsmsgrs.exe"
    To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.59.659.0
Latest detected by definition: 1.131.1058.0 and higher
First detected on: Jun 01, 2009
This entry was first published on: Nov 17, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TROJ_HUPIGON.NHR (Trend Micro)
  • Backdoor.Win32.IRCBot.kkt (Kaspersky)
  • W32/IRCBot-AFE (Sophos)
  • W32.IRCBot (Symantec)