Follow:

 

Worm:Win32/Pushbot.BD


Worm:Win32/Pushbot.BD is a worm that spreads via MSN Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Worm:Win32/Pushbot.BD is a worm that spreads via MSN Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
Installation
When executed, Worm:Win32/Pushbot.BD copies itself to %windir%\svchost.exe and sets the attributes of this file to read-only, hidden and system. It then modifies the registry to ensure that this copy is executed at each Windows start:
 
Adds value: "Windows Internet Manager"
With data: "svchost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 
It also displays a message box with the title "Windows Microsoft Viewer" containing the text:
 
"Picture can not be displayed."
 
It creates a mutex named "ha7gha7g6avb12" in order to ensure that multiple copies of the worm do not run simultaneously.
 
Spreads Via…
MSN Messenger and AIM
Using backdoor functionality (see Payload section below for additional detail) Worm:Win32/Pushbot.BD can be ordered to spread via MSN Messenger and AIM by a remote attacker. It sends a message to all of the infected user's contacts. The message is provided by the controller via the IRC backdoor, and it has been observed to include a URL pointing to a copy of the worm executable on the domain 'www.mymsnpics.net'.
 
Payload
Backdoor Functionality: Port 20733
Once installed, the worm connects to IRC server 'msn.sandboxanddie.info' on port 20733 and awaits instructions. Using the backdoor, a remote attacker can perform a number of actions of the affected machine, including the following:
  • Spread via MSN Messenger or AIM
  • Update itself
  • Remove itself
  • Download and execute arbitrary files

Symptoms

System Changes
The following system changes may indicate the presence of Worm:Win32/Pushbot.BD:
  • Presence of the following file: %windir%\svchost.exe
  • Presence of the following registry modification:
    Adds value: "Windows Internet Manager"
    With data: "svchost.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.131.1058.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jan 28, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases