Worm:Win32/Pushbot.VD is a worm that may spread to network drives as a file named "moco.exe". The worm contains backdoor functionality that allows unauthorized access and control of an affected machine. The worm may be instructed to spread via MSN Messenger and block access to web email services.
Installation
When run, this worm drops a copy of itself as the following:
- <system folder>\msnrmgs.exe
The registry is modified to run the worm at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "MicrosoftNAPC"
To data: "<system folder>\msnrmgs.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "MicrosoftCorp"
To data: "<system folder>\msnrmgs.exe"
Spreads via...
MSN Messenger
Once the worm connects to a remote server, it awaits instructions from an attacker (see Payload below for additional detail). The attacker could instruct the worm to spread via Messenger by sending a message to contacts containing text and an attachment. Below is one example of text sent when instructed to spread in this method:
- Hey m8, check this out. its a cleaner for windows. been using it for awhile...
Network drives
The worm copies itself to network drives as the following:
- <drive:>\ice\fire\moco.exe
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Allows limited and unauthorized remote access and control
The worm attempts to connect to one of the following Internet Relay Chat (IRC) servers to accept commands from a remote attacker:
- h0ney.facilderecordar.com
- pingp0ng.notengodominio.com
Once connected, the worm joins a channel and awaits commands from an attacker. Using this backdoor, an attacker can perform the following actions on an affected machine:
- Spread via MSN Messenger
- Halt spreading
- Update or remove itself
- Download and execute arbitrary files
- Retrieve sensitive information stored in Windows Protected Storage (aka "PStore") which can include auto-complete data and stored passwords from Internet Explorer, Microsoft Outlook and MSN Messenger
Modifies Hosts file
The worm could be instructed to modify the local DNS resolution file "Hosts" resulting in redirecting access to the below listed websites to a destination of an attacker's choosing:
- santander.com.mx
- www.santander.com.mx
- www.santander-serfin.com
- santander-serfin.com
- www.hsbc.com.mx
- hsbc.com.mx
- conexion.bital.com.mx
- www.bancoazteca.com.mx
- bancoazteca.com.mx
- www.bancoazteca.com
- bancoazteca.com
- www.banorte.com
- banorte.com
- www.banorte.com.mx
- banorte.com.mx
- www.bancomer.com.mx
- www.bancomer.com
- bancomer.com
- bancomer.com.mx
- inverweb1.scotiabankinverlat.com
- inverweb2.scotiabankinverlat.com
- inverweb3.scotiabankinverlat.com
- www.scotiabank.com.mx
- scotiabank.com.mx
- www.inverlat.com
- inverlart.com
- www.inverlat.com.mx
- inverlat.com.mx
- www.scotiabankinverlat.com
- scotiabankinverlat.com
- www.scotiabankinverlat.com.mx
- scotiabankinverlat.com.mx
- www.see.sbi.com.mx
- see.sbi.com.mx
- www.bajionet.com.mx
- bajionet.com.mx
- www.bb.com.mx
- bb.com.mx
- www.bajionet.com
- bajionet.com
- banamex.com.mx
- www.banamex.com.mx
- banamex.com
- www.banamex.com
- www.bancanetempresarial.banamex.com.mx
- bancanetempresarial.banamex.com.mx
- boveda.banamex.com.mx
- boveda.banamex.com
The worm may modify the Hosts file to disable access to the following online email services by redirecting access of the sites to 127.0.0.1 (the local machine):
- gmail.com
- www.gmail.com
- hotmail.com
- www.hotmail.com
- mail.live.com
- login.live.com
- mail.prodigy.net.mx
- prodigy.net.mx
- yahoo.com
- yahoo.com.mx
- login.yahoo.com
Analysis by Jaime Wong
