Threat behavior
Worm:Win32/Pushbot!inf is a detection for the autorun.inf configuration file dropped by variants of the Worm:Win32/Pushbot family when spreading via removable drives.
Win32/Pushbot is a family of malware that may spread via removable drives, and also spreads via MSN Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine. For more details, please see the Win32/Pushbot description elsewhere in the encyclopedia.
When run, some variants of Win32/Pushbot may spread by copying themselves to removable drives (other than A: or B:). They place themselves in a particular directory on the removable drive, often with a name with a format similar to \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213, along with a file named Desktop.ini. The contents of Desktop.ini indicate to the operating system that the folder should be displayed as a Recycle Bin.
The malware also places an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Analysis by David Wood
Prevention
