Home / malwarePDF  

Worm:Win32/Pushbot.VJ


First posted on 23 April 2012.
Source: Microsoft

Aliases :

Worm:Win32/Pushbot.VJ is also known as Trojan.Spambot.9818 (Dr.Web), Trojan.Win32.Ircbrute (Ikarus), WORM_PALEVO.SMA (Trend Micro), IM-Worm.Win32.Yahos.ig (Kaspersky), Worm.Yahos!FqklOrNnbSE (VirusBuster), Backdoor.Bot.140102 (BitDefender), Trojan.Spambot.9818 (Dr.Web).

Explanation :

Worm:Win32/Pushbot.VJ is a worm that may spread via MSN Messenger, AOL Instant Messenger, and Facebook chat. It also contains backdoor functionality that allows unauthorized access to an affected computer.


Top

Worm:Win32/Pushbot.VJ is a worm that may spread via MSN Messenger, AOL Instant Messenger, and Facebook chat. It also contains backdoor functionality that allows unauthorized access to an affected computer.



Installation

When executed, Worm:Win32/Pushbot.VJ copies itself as the following files:

  • %AppData%\<six random characters>.exe (for example, "exlmna.exe" and "egagud.exe")
  • %AppData%\<five random characters>.exe (for example, "clcfa.exe" and "ctpxi.exe")


It also modifies the registry to run its copy at each Windows start, for example:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<eight random characters>" (for example, "fjavfqqs" and "frnpntsp")
With data: "%AppData%\<six random characters>.exe"

It also creates the following registry entry as part of its installation routine:

In subkey: HKCU\Software\twk70
Sets value: "n"
With data: "1"

It runs the following command to allow its copy to bypass the computer's firewall:

netsh firewall add allowedprogram <path and file name to worm copy> 1 ENABLE

Spreads via...

MSN Messenger, AOL Instant Messenger, and Facebook chat

This worm may be ordered to spread via MSN Messenger, AOL Instant Messenger, or Facebook chat by a remote attacker using the worm's backdoor functionality (see Payload below for additional details). It can be ordered to send instant messages with a zipped copy of itself attached, or it can be ordered to send instant messages that contain URLs pointing to a remotely-hosted copy of itself. It sends a message to all of the user's contacts.

The file name of the ZIP archive, the URL of the remote copy, and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as image files.



Payload

Allows backdoor access and control

Worm:Win32/Pushbot.VJ attempts to connect to IRC servers via different TCP ports, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected computer:

  • Spread via MSN Messenger, AOL Instant Messenger, or Facebook chat
  • Halt spreading
  • Update itself into a file named "%temp%\eraseme_<five random numbers>.exe
  • Remove itself into a file named "%temp%\rmme<four random numbers>.bat
  • Download and execute arbitrary files into files named "%temp%\ageofempires_<five random numbers>.exe"




Analysis by Hyun Choi

Last update 23 April 2012

 

TOP

Malware :

Family: