Worm:Win32/Pushbot.SW is a worm that may spread via Windows Live Messenger and/or AIM. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
When executed, Worm:Win32/Pushbot.SW copies itself to "%windir%\jusched.exe" and sets the attributes for this copy to read-only, hidden and system. It modifies the registry to run this copy at each Windows start:
Adds value: "Java developer Script Browse"
With data: "c:\windows\jusched.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It then launches the new copy of itself, and deletes the original.
Worm:Win32/Pushbot may attempt to disguise itself as a picture or video file. As a result, it may be packaged with clean video player software updates, or display message boxes such as the following:
Worm:Win32/Pushbot.SW may also create the following files on an affected machine:
Spreads via…
Instant messaging
This worm may be ordered to spread via Windows Live Messenger, Yahoo Messenger or AIM by a remote attacker using the worm's backdoor functionality (see Payload section below for additional details). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts.
The filename of the .ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as images.
Skype
Recent variants of Win32/Pushbot may also be able to spread by utilizing Skype (an instant messaging application that allows users to send voice over the Internet). These Pushbot variants send keyboard and mouse events to Skype in order to open a message window to each of the user's contacts, paste in a message with a URL (presumably to a copy of Pushbot being hosted remotely), and then send the message.
Removable drives
Some variants of Worm:Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys). They place themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.
Peer-to-Peer networking
Some variants may be ordered to spread by copying themselves to the shared directories of various Peer-To-Peer file sharing programs, using filenames such as the following:
-
Windows Live Password reveal.exe
-
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
-
eMule-0-48a-VeryCD080902-Update.exe
-
MsnCleaner.exe
-
KEY-GEN Adobe PhotoShop CS3.exe
-
KEY-GEN Kaspersky 2009.exe
-
KEY-GEN ESET NOD32 3.0.650.exe
-
KEY-GEN Ahead Nero 8 Ultra Edition.exe
-
Microsoft Office 2007.exe
-
Kaspersky 7.0 all versions.exe
-
windows xp genuine keygen.exe
-
windows xp activation hack 2008.exe
-
windows xp activation hack 2007.exe
Directories used may include:
-
%ProgramFiles%\Ares\My Shared Folder\
-
%ProgramFiles%\Direct Connect\Received Files\
-
%ProgramFiles%\KMD\My Shared Folder\
-
%ProgramFiles%\Rapigator\Share\
-
%ProgramFiles%\XoloX\Downloads\
-
%ProgramFiles%\Tesla\Files\
-
%ProgramFiles%\WinMX\My Shared Folder\
-
%ProgramFiles%\Swaptor\Download\
-
%ProgramFiles%\Overnet\incoming\
-
%ProgramFiles%\LimeWire\Shared\
-
%ProgramFiles%\appleJuice\incoming\
-
%ProgramFiles%\Filetopia3\Files\
-
%ProgramFiles%\ICQ\shared files\
-
%ProgramFiles%\Shareaza\Downloads\
-
%ProgramFiles%\BearShare\Shared\
-
%ProgramFiles%\eMule\Incoming\
-
%ProgramFiles%\Gnucleus\Downloads\
-
%ProgramFiles%\EDONKEY2000\incoming\
-
%ProgramFiles%\Morpheus\My Shared Folder\
-
%ProgramFiles%\Grokster\My Grokster\
-
%ProgramFiles%\Kazaa Lite\My Shared Folder\
-
%ProgramFiles%\Kazaa\My Shared Folder\
-
\My Shared Folder\
Exploit
Some variants have the ability to spread by exploiting various vulnerabilities in targeted machines upon being commanded to do so by a remote attacker.
Payload
Backdoor functionality: TCP port 2345
Pushbot.SW attempts to connect to an IRC server at 142.45.186.244 via TCP port 2345, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
- Spread via Windows Live Messenger or AIM
- Download and execute arbitrary files
Pushbot.SW may also be able to perform one or more of the following additional activities:
- Spread via removable drives
- Spread via peer to peer networking
- Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings
- Participate in Distributed Denial of Service attacks
- Add extra instant messaging contacts
- Send other messages to the user’s contacts
- Redirect banking sites to a specified location
- Retrieve data from Windows Protected Storage. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and Windows Live Messenger
- Connect to websites without downloading files
- Return various spreading and uptime statistics
- Attempt to terminate particular processes by filename
- Perform packet sniffing on the affected system, with the intent to intercept login attempts, IRC activity and visits to possibly sensitive websites, such as PayPal
Pushbot may also attempt to disable the following programs by making further modifications to the registry:
- msncleaner.exe
- avp.exe
- kav.esp
- kav.eng
- msconfig.exe
Additional information
Analysis by David Wood
