Worm:Win32/Pushbot.UZ is a worm that may spread via MSN Messenger and removable drives. The worm also contains backdoor functionality that allows unauthorized access to an affected computer. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
%TEMP%\tridesee.exe" and sets the attributes for this copy to read-only, hidden and system. It modifies the registry to run this copy at each Windows start:
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Driver Control Manager v5.7"
With data: "%TEMP%\tridesee.exe"
Worm:Win32/Pushbot.UZ also creates a mutex named "JebemtiKevuv1.4" to make sure that only one instance of itself is running in the computer.
It then launches the new copy of itself, and deletes the original.
Spreads via...
Removable drives
Worm:Win32/Pushbot.UZ may spread by copying itself to removable drives other than A: or B: (such as USB memory keys). It drops the following files:
- <removable drive>:avm2\avm2\avm2v43.exe - worm copy
- <removable drive>:avm2\avm2\desktop.ini - indicate to the operating system that the folder "avm2" should be displayed as a Recycle Bin
Worm:Win32/Pushbot.UZ also places an "autorun.inf" file in the root folder of the removable drives. This file indicates that the malware copy, "avm2v43.exe", should be run automatically when the drive is accessed and Autorun is enabled.
MSN Messenger
This worm may be ordered to spread via MSN Messenger by a remote attacker using the worm's backdoor functionality (see Payload section below for additional details). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the user's contacts.
The filename of the .ZIP archive, the URL of the remote copy, and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as images.
Payload
Allows backdoor access and control
Pushbot.UZ attempts to connect to an IRC server at "dghfg.dukatlgg.com" via TCP port 33333, join a chat channel, and wait for commands from an attacker. Using this backdoor, an attacker can perform the following actions on an affected computer:
- Start/stop spreading via MSN Messenger or AIM
- Update itself
- Remove itself
- Download and execute arbitrary files (see additional details below)
Pushbot.UZ may also be able to perform one or more of the following additional activities:
- Spread via removable drives
- Spread via peer to peer networking
- Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings
- Participate in Distributed Denial of Service attacks
- Add extra instant messaging contacts
- Send other messages to the user's contacts
- Redirect banking sites to a specified location
- Retrieve data from Windows Protected Storage; this may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger
- Connect to web sites without downloading files
- Return various spreading and uptime statistics
- Attempt to terminate particular processes by filename
- Perform packet sniffing on the computer, with the intent to intercept login attempts, IRC activity and visits to possibly sensitive websites, such as PayPal
Download and execute arbitrary files
Pushbot.UZ may connect to remote servers to download and execute arbitrary files. It has been observed connecting to these domains:
- img102.herosh.com
- img105.herosh.com
In the wild, Pushbot.UZ has been observed downloading the following malware from these sites:
This variant may also be ordered to send messages that contain URLs pointing to other malware to the affected user's MSN Messenger contacts. For instance, it has been observed sending a message via MSN Messenger that contains a URL to what appears to be a rogue Facebook application. The link references the server "picture8.fileave.com", which hosts an installer for Worm:Win32/Dorkbot.
Additional Information
For more information, please see the Win32/Pushbot family description, elsewhere in our encyclopedia.
Analysis by Gilou Tenebro
