Worm:Win32/Pushbot.BE is a worm that spreads via MSN Messenger when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
Installation
When executed, Worm:Win32/Pushbot.BE copies itself to %windir%\wkssvc.exe and sets the attributes of this file to read-only, hidden and system. It then modifies the registry to ensure that this copy is executed at each Windows start:
Adds value: "Windows Console"
With data: "wkssvc.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
It also displays a message box with the title "Windows Microsoft Viewer" containing the text:
"Picture can not be displayed."
It creates a mutex named "sfkgjs55555g" in order to ensure that multiple copies of the worm do not run simultaneously.
Spreads Via…
MSN Messenger
Using backdoor functionality (see Payload section below for additional detail) Worm:Win32/Pushbot.BE can be ordered to spread via MSN Messenger by a remote attacker. It sends a message to all of the infected user's contacts.
The worm can be ordered to spread in two different ways. It can be ordered to send a zipped copy of itself, or it can be ordered to send messages, which can contain URLs pointing to a remotely hosted copy of itself.
When sending itself inside a ZIP archive, it uses one of the following messages:
Hey, check out this great photo from my trip to England!
Have I shown you this new picture of my cat :)
Did you see this picture, it's hilarious!!!!!
The filename of the ZIP may be variable, and is provided by the remote controller via the IRC backdoor.
When sending a URL, the message is provided by the controller via the IRC backdoor. It has been observed to include a URL pointing to a copy of the worm executable on the domain 'mainmsn.net'.
Payload
Backdoor Functionality: Port 2007
Once installed, the worm connects to IRC server 'c.united-crew.org' on port 2007 and awaits instructions. Using the backdoor, a remote attacker can perform a number of actions of the affected machine, including the following:
Modifies Hosts File
The worm modifies the Windows Hosts File in order to stop users from visiting the following sites:
82.165.237.14
82.165.250.33
avp.com
ca.com
casablanca.cz
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
d66.myleftnut.info
dispatch.mcafee.com
download.mcafee.com
downloads-us1.kaspersky.com
downloads1.kaspersky.com
downloads1.kaspersky.ru
downloads2.kaspersky.com
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
ebay.com
eset.casablanca.cz
eset.com
f-secure.com
ftp.downloads1.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
grisoft.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
metalhead2005.info
microsoft.com
moneybookers.com
my-etrust.com
nai.com
networkassociates.com
nod32.com
norton.com
pandasoftware.com
paypal.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
u2.eset.com
u3.eset.com
u4.eset.com
u7.eset.com
update.symantec.com
updates-us1.kaspersky.com
updates.symantec.com
updates1.kaspersky-labs.com
updates1.kaspersky.com
updates2.kaspersky-labs.com
updates2.kaspersky.com
updates3.kaspersky-labs.com
updates3.kaspersky.com
us.mcafee.com
viruslist.com
virustotal.com
www.amazon.ca
www.amazon.co.uk
www.amazon.com
www.amazon.fr
www.avp.com
www.ca.com
www.ebay.com
www.eset.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.moneybookers.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.nod32.com
www.norton.com
www.pandasoftware.com
www.paypal.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.virustotal.com
