Worm:Win32/Pushbot.LZ is a worm that may spread via MSN Messenger or by sending malicious exploit code to machines vulnerable to Microsoft Security Bulletin
MS08-067. This worm also contains backdoor functionality that allows unauthorized access to an affected machine. It does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
Upon execution, Worm:Win32/Pushbot.LZ drops a copy of itself in the system as the following:
%windir%\usbmgr.exe
It modifies the registry so that its copy runs every time Windows starts:
Adds value: "Windows Data Serivce"
With data: "usbmgr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Instant messengers
Worm:Win32/Pushbot.LZ may be ordered to spread via MSN Messenger or AOL Instant Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the user's contacts.
Logical drives
Some variants of Worm:Win32/Pushbot may also spread by copying themselves to removable drives other than A: or B: (such as removable drives or mapped drives). They place a copy of themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named desktop.ini, the contents of which indicate to the operating system that the folder icon should be that of a Recycle Bin. They also create an autorun.inf file in the root folder of the drive, which allows the worm copy to automatically run when the drive is accessed and AutoRun is enabled.
MS08-067 exploit
Worm:Win32/Pushbot.LZ may spread automatically to systems that have not yet applied the security update discussed in the Microsoft Security Bulletin
MS08-067.
Payload
Stops system service
Worm:Win32/Pushbot.LZ stops the 'Security Center' service.
Performs backdoor functionalities
Worm:Win32/Pushbot.LZ attempts to connect to an IRC server at linux.totalunix.net via TCP port 3627. It joins a channel to wait for commands from a remote attacker. The attacker can choose to perform any of the following commands on the infected machine:
Spread via exploit code to machines vulnerable to MS08-067
Spread via MSN Messenger or AOL Instant Messenger
Spread via logical drives
Halt spreading
Update itself
Remove itself
Download and execute arbitrary files
Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings
Participate in Distributed Denial of Service (DDoS) attacks
Add extra instant messaging contacts
Send other messages to the user’s contacts
Redirect banking sites to a specified location
Retrieve data from Windows Protected Storage; this may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger
Connect to Web sites
Send malware statistics, such as spreading and uptime data, to a remote attacker
Attempt to terminate particular processes depending on file name
Perform packet sniffing on the infected system, with the intent to intercept login attempts, IRC activity, and visits to possibly sensitive sites, such as PayPal
Additional Information
Worm:Win32/Pushbot.LZ obtains the IP address of the infected machine by connecting to the following Web sites:
http://www.whatismyip.com/
http://checkip.dyndns.org/
Analysis by Francis Allan Tan Seng
