Home / malwarePDF  

Worm:Win32/Pushbot.NV


First posted on 03 December 2009.
Source: SecurityHome

Aliases :

There are no other names known for Worm:Win32/Pushbot.NV.

Explanation :

Worm:Win32/Pushbot.NV is a worm that spreads to removable and network drives. It may also spread via MSN Messenger and/or AIM. It contains backdoor functionality that allows unauthorized access and control of an affected computer.
Top

Worm:Win32/Pushbot.NV is a worm that spreads to removable and network drives. It may also spread via MSN Messenger and/or AIM. It contains backdoor functionality that allows unauthorized access and control of an affected computer.

Installation
When executed, Worm:Win32/Pushbot.NV copies itself to %windir%\winudpmgr.exe and modifies the following registry entries to execute this copy at each Windows start: Adds value: "Windows UDP Control Center"With data: "winudpmgr.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "Windows UDP Control Center"With data: "winudpmgr.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run Spreads Via… Removable Drives
Worm:Win32/Pushbot.NV spreads by copying itself to removable drives (other than A: or B:, such as USB memory keys). It places itself in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. It also places an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached.In this case, the worm creates the following files on accessible drives:

  • <drive>\recycler\s-1-6-22-2434476501-1644491937-600003330-1213\desktop.ini
  • <drive> \recycler\s-1-6-22-2434476501-1644491937-600003330-1213\winudpmgr.exe - copy of the worm
  • <drive> \recycler\s-1-6-22-2434476501-1644491937-600003330-1213\csrxx.exe - detected as Trojan:Win32/VB.UR
  • <drive> \autorun.inf
    • MSN Messenger and/or AIMThis worm may be ordered to spread via Messenger or AIM by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts. The filename of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as images. Payload Backdoor Functionality: Port 6667Worm:Win32/Pushbot.NV attempts to connect to an IRC server at sep25.no-ip.org or itznerve.no-ip.biz via TCP port 6667, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
  • Spread via MSN Messenger or AIM
  • Halt spreading
  • Update itself
  • Remove itself
  • Download and execute arbitrary files
    • Worm:Win32/Pushbot.NV may also be able to perform one or more of the following additional activities:
  • Spread via removable drives
  • Spread via peer to peer networking
  • Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings.
  • Participate in Distributed Denial of Service attacks
  • Add extra instant messaging contacts
  • Send other messages to the user’s contacts
  • Redirect banking sites to a specified location
  • Retrieve data from Windows Protected Storage. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and MSN Messenger.
  • Connect to web sites without downloading files
  • Return various spreading and uptime statistics
  • Attempt to terminate particular processes by filename
  • Perform packet sniffing on the affected system, with the intent to intercept login attempts, IRC activity and visits to possibly sensitive websites, such as PayPal.
    • Additional InformationFor more information, please see the Win32/Pushbot family description, elsewhere in our encyclopedia.

    Analysis by Tim Liu

    Last update 03 December 2009

     

    TOP

    Malware :

    Family: