Follow:

 

Worm:Win32/Pushbot.gen!C


Worm:Win32/Pushbot.gen!C is a generic detection for worms that may spread via MSN Messenger and/or AOL Instant Messenger. It also contains backdoor functionality that allows unauthorized access to an affected system.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Pushbot.gen!C is a generic detection for worms that may spread via MSN Messenger and/or AOL Instant Messenger. It also contains backdoor functionality that allows unauthorized access to an affected system.
Installation
When executed, Worm:Win32/Pushbot.gen!C copies itself to the Windows folder using different file names, such as the following:
 
  • update.exe
  • svch0st.exe
 
It sets the attributes for this copy to read only, hidden, and system. It also modifies the registry to run this copy at each Windows start, for example:
 
Adds value: "MSN"
With data: "%windir%\svch0st.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "MicrosoftCorp"
With data: "%windir%\svch0st.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
 
It then launches its copy, and deletes its originally-running file.
Spreads Via...
MSN Messenger and/or AOL Instant Messenger
This worm may be ordered to spread via MSN Messenger or AOL Instant Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional details). It can be ordered to send instant messages with a zipped copy of itself attached, or it can be ordered to send instant messages that contain URLs pointing to a remotely-hosted copy of itself. It sends a message to all of the user's contacts.
 
The file name of the ZIP archive, the URL of the remote copy, and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as image files.
 
Removable Drives
Some variants of Worm:Win32/Pushbot!C may also spread by copying themselves to removable drives (other than A: or B:, such as USB flash drives). They place themselves in different folders, such as '\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213' or '\ice\fire' folder, along with a file named 'Desktop.ini' on the root of the drive, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place a file named 'autorun.inf' in the root of the drive, which indicates that the copied file should be run when the drive is attached and Autorun is enabled.
Payload
Allows backdoor access and control
Worm:Win32/Pushbot.gen!C attempts to connect to IRC servers via different TCP ports, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected system:
 
  • Spread via MSN Messenger or AOL Instant Messenger 
  • Halt spreading
  • Update itself
  • Remove itself
  • Download and execute arbitrary files
 
Some of the IRC servers it has been known to connect to are:
 
  • queweysoy.sin-ip.es
  • 120.power-hackers.com
 
Some variants of Worm:Win32/Pushbot.gen!C may also be able to perform one or more of the following additional activities via its backdoor functionality:
 
  • Participate in Distributed Denial of Service (DDoS) attacks
  • Retrieve data from Windows Protected Storage, which may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger
  • Attempt to terminate particular processes by file name
 
Analysis by Elda Dimakiling

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    update.exe
    svch0st.exe
  • The presence of the following registry modifications:
    Added value: "MSN"
    With data: "%windir%\svch0st.exe"
    To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Added value: "MicrosoftCorp"
    With data: "%windir%\svch0st.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.191.930.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 29, 2009
This entry was updated on: Nov 10, 2010

This threat is also detected as:
  • Trojan.Win32.Buzus.cbwp (Kaspersky)
  • Trojan.Buzus.AMCO (VirusBuster)
  • Trj/Buzus.AH (Panda)
  • TROJ_BUZUS.BFQ (Trend Micro)
  • BKDR_SDBOT.DQJ (Trend Micro)
  • Worm.Pushbot.LM (VirusBuster)
  • Win32.HLLW.MyBot (Dr.Web)