Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Pushbot.7577
Date discovered:24/09/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:75.776 Bytes
MD5 checksum:eea6cee9d7cb77adfc9ff7a544220d9c
IVDF version:7.01.06.31 - Thursday, September 24, 2009

 General Method of propagation:
• Autorun feature


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\iexplorer7.exe
   • %drive%\RECYCLER\%CLSID%\sysmngr32.exe



The following files are created:

%WINDIR%\log32.txt
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\RECYCLER\%CLSID%\Desktop.ini



It tries to download a file:

– The locations are the following:
   • http://www.pr0.net/deny2/**********
   • http://www.sevy.eu.org/**********
   • http://www.proxysecurity.com/**********
   • http://www.proxy-heaven.com/**********
   • http://www.pr0.net/deny2/**********
   • http://www.cooleasy.com/**********
   • http://www.belgarion.com/images/**********
   • http://proxywoorld.ovh.org/**********
   • http://proxyworld.ifrance.com/**********
At the time of writing this file was not online for further investigation.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Driver Setup"="%WINDIR%\iexplorer7.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "Microsoft Driver Setup"="%WINDIR%\iexplorer7.exe"



The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:0x00000000

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger


To:
All entries in the contact list.

 Network Infection Exploit:
It makes use of the following Exploits:
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-039 (Buffer Overrun in RPCSS Service)
MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: login.i**********.org.uk
Port: 47221
Channel: #e10
Nickname: [N00_USA_XP_%number%]%random character string%

Server: login.i**********.co.uk
Port: 47221
Channel: #e10
Nickname: [N00_USA_XP_%number%]%random character string%

Server: login.in**********.com
Port: 47221
Channel: #e10
Nickname: [N00_USA_XP_%number%]%random character string%

Server: myip.wo**********.net
Port: 47221
Channel: #e10
Nickname: [N00_USA_XP_%number%]%random character string%

Server: ip.w**********.com
Port: 47221
Channel: #e10
Nickname: [N00_USA_XP_%number%]%random character string%


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Perform network scan
    • Updates itself

 Process termination List of processes that are terminated:
   • VIPRE.EXE; ISSDM_EN_32.EXE; P08PROMO.EXE; K7TS_SETUP.EXE;
      AVINSTALL.EXE; WITSETUP.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; CCSETUP210.EXE; FSMB32.EXE;
      FSGK32.EXE; FSAV95.EXE; FSAV530WTBYB.EXE; FSAV530STBYB.EXE;
      FSAV32.EXE; FSAV.EXE; FSAA.EXE; FPROT.EXE; FP-WIN.EXE; FNRB32.EXE;
      FIH32.EXE; FCH32.EXE; FAST.EXE; FAMEH32.EXE; F-STOPW.EXE;
      F-PROT95.EXE; F-PROT.EXE; AFMAIN.EXE; SPIDERUI.EXE; SPIDERNT.EXE;
      ALERTMAN.EXE; RAVMOND.EXE; MAKEREPORT.EXE; BOXMOD.EXE; 360SAFE.EXE;
      360RPT.EXE; 360HOTFIX.EXE; 360TRAY.EXE; NSVMON.NPC; NSAVSVC.NPC;
      NPCGREENAGENT.NPC; PUSCAN.EXE; AYSERVICENT.AYE; AYAGENT.AYE;
      CMDAGENT.EXE; CPF.EXE; VSMON.EXE; ZLCLIENT.EXE; NSUTILITY.EXE;
      NSPUPDT.EXE; NAVQSCAN.EXE; NSPMAIN.EXE; NSPUPSVC.EXE; NSPSVC.EXE;
      MKSADMINCONSOLE.EXE; MKSUPDATE.EXE; MKSPC.EXE; MKSFWALL.EXE;
      MKSVIRMONSVC.EXE; MKS_SCAN.EXE; MKS_MAIL.EXE; MKSREGMON.EXE;
      KAVPFW.EXE; KASMAIN.EXE; KAV32.EXE; KPFWSVC.EXE; KISSVC.EXE;
      KWATCH.EXE; KPFW32.EXE; KAVSTART.EXE; KVSRVXP.EXE; KVOL.EXE; KVXP.KXP;
      KVMONXP.KXP; CAVASM.EXE; CMAIN.EXE; ARCABIT.CORE.LOGGINGSERVICE.EXE;
      ARCABIT.CORE.CONFIGURATOR2.EXE; TASKSCHEDULER.EXE; UPDATE.EXE;
      NETMONSV.EXE; FILEMONSV.EXE; ABREGMON.EXE.EXE; ARCACHECK.EXE;
      ARCAVIR.EXE; AVMENU.EXE; A2HIJACKFREE.EXE; A2SERVICE.EXE; A2START.EXE;
      A2SCAN.EXE; A2GUARD.EXE; VRFWSVC.EXE; HFACSVC.EXE; VRMONSVC.EXE;
      HPCSVC.EXE; HSVCMOD.EXE; VRMONNT.EXE; MKSTRAY.EXE; VBA32ADS.EXE;
      VBA32LDR.EXE; FILELOCKSETUP.EXE; TSCFCOMMANDER.EXE; TMPROXY.EXE;
      TMPFW.EXE; TMBMSRV.EXE; UFNAVI.EXE; UFSEAGNT.EXE; TISSPWIZ.EXE;
      SFCTLCOM.EXE; TNBUTIL.EXE; DEFWATCH.EXE; RTVSCAN.EXE; SBAMSVC.EXE;
      SBAMUI.EXE; SBAMTRAY.EXE; SAVADMINSERVICE.EXE; SAVSERVICE.EXE;
      SCFSERVICE.EXE; SCFMANAGER.EXE; RAVTASK.EXE; CCENTER.EXE; ULIBCFG.EXE;
      RAVLITE.EXE; PCTAV.EXE; PCTAVSVC.EXE; PXCONSOLE.EXE; PXAGENT.EXE;
      RAV.EXE; PCTSAUXS.EXE; PCTSTRAY.EXE; PCTSSVC.EXE; PCTSGUI.EXE;
      AVGAS.EXE; PAVBCKPT.EXE; WEBPROXY.EXE; PAVSRV51.EXESRVLOAD.EXE;
      PSIMSVC.EXE; PSHOST.EXE; AVENGINE.EXE; PSKMSSVC.EXE; PAVPRSRV.EXE;
      PAVFNSVR.EXE; PSCTRLS.EXE; TPSRV.EXE; NOD32M2.EXE; NOD32CC.EXE;
      NOD32.EXE; NMAIN.EXE; NOD32KUI.EXE; MSASCUI.EXE; MSMPENG.EXE;
      MCUPDATE.EXE; MCSHIELD.EXE; MCVSSHLD.EXE; MCVSRTE.EXE; MCAGENT.EXE;
      KAVSVC.EXE; KAV.EXE; K7TSMNGR.EXE; K7SPMSRC.EXE; K7RTSCAN.EXE;
      K7PSSRVC.EXE; K7FWSRVC.EXE; K7EMLPXY.EXE; K7TSECURITY.EXE;
      K7SYSTRY.EXE; VIRUSUTILITIES.EXE; GUARDXSERVICE.EXE;
      GUARDXKICKOFF.EXE; AVKWCTL.EXE; AVKTUNERSERVICE.EXE; AVKSERVICE.EXE;
      GDFWSVC.EXE; AVKPROXY.EXE; GDFIRE~1.EXE; AVKTRAY.EXE;
      GDFIREWALLTRAY.EXE; FSAUA.EXE; NOD32KRN.EXE; FSMA32.EXE; FSDFWD.EXE;
      FSGK32ST.EXE; FSM32.EXE; FPWIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE;
      INICIO.EXE; UMXPOL.EXE; UMXFWHLP.EXE; UMXAGENT.EXE; UMXCFG.EXE;
      PPCLTPRIV.EXE; SVCPRS32.EXE; ITMRTSVC.EXE; CCPROVSP.EXE; MDMCLS32.EXE;
      CAGLOBALLIGHT.EXE; CAPFUPGRADE.EXE; CAPFASEM.EXE; CAFW.EXE;
      CFGMNG32.EXE; CCTRAY.EXE; CLAMTRAY.EXE; CLAMWIN.EXE; ALSVC.EXE;
      ALMON.EXE; DRWEBSCD.EXE; SPIDERML.EXE; DRWEB32W.EXE; ACS.EXE;
      STRTSVC.EXE; OP_MON.EXE; SENSOR.EXE; QHFW332.EXE; CATEYE.EXE;
      ONLNSVC.EXE; EMLPROUI.EXE; UPSCHD.EXE; SCANMSG.EXE; SCANWSCS.EXE;
      EMLPROXY.EXE; ONLINENT.EXE; ASWCLNR.EXE; BDAGENT.EXE; VSSERV.EXE;
      LIVESRV.EXE; XCOMMSVR.EXE; UISCAN.EXE; BDSS.EXE; AVGUI.EXE;
      AVGUPD.EXE; AVGSCANX.EXE; AVGEMC.EXE; AVGUPSVC.EXE; AVGAMSVR.EXE;
      AVGWDSVC.EXE; ASHWEBSV.EXE; ASHMAISV.EXE; ASWUPDSV.EXE; ASHSERV.EXE;
      ASHDISP.EXE; AVCENTER.EXE; SCHED.EXE; AVIRARKD.EXE; AVGNT.EXE;
      AVGUARD.EXE; AHNSDSV.EXE; ACAIS.EXE; ACALS.EXE; ACAEGMGR.EXE;
      ACAAS.EXE; QOELOADER.EXE; APVXDWIN.EXE; QUHLPSVC.EXE; 123.EXE;
      RAVP.EXEMBAM.EXE123.COM; UNLOCKER1.8.7.EXE; UNIEXTRACT.EXE;
      SYSANALYZER_SETUP.EXE; STARTDRECK.EXE; SPF.EXE; REGX2.EXE;
      REGSHOT.EXE; REGSCANNER.EXE; REGISTRAR_LITE.EXE; REGCOOL.EXE;
      REGALYZ.EXE; PROJECTWHOISINSTALLER.EXE; PROCMON.EXE; CUREIT.EXE;
      FIXBAGLE.EXE; PGSETUP.EXE; OBJMONSETUP.EXE; NETALYZ.EXE; KILLBOX.EXE;
      INSTALLWATCHPRO25.EXE; AVENGER.EXE; IEFIX.EXE; HOSTSFILEREADER.EXE;
      FIXPATH.EXE; FILEFIND.EXE; FILEALYZ.EXE; EULALYZERSETUP.EXE;
      A2HIJACKFREESETUP.EXE; DLLCOMPARE.EXE; CPROCESS.EXE; CPORTS.EXE;
      ASVIEWER.EXE; APT.EXE; APM.EXE; WIRESHARK.EXE; SPYBOTSD.EXE;
      TEATIMER.EXE; SPYBOTSD160.EXE; PROCESSMONITOR.EXE; PROCDUMP.EXE;
      PG2.EXE; LORDPE.EXE; ICESWORD.EXE; REANIMATOR.EXE; ROOTKITNO.EXE;
      RKD.EXE; HACKMON.EXE; UNHACKME.EXE; ROOTKIT_DETECTIVE.EXE;
      AVGARKT.EXE; FSB.EXE; FSBL.EXE; ROOTKITREVEALER.EXE; PSKILL.EXE;
      TASKMON.EXE; TASKLIST.EXE; TASKMAN.EXE; PROCEXP.EXE; MSNFIX.EXE;
      HIJACKTHIS_V2.EXE; HIJACKTHIS.EXE; HIJACKTHIS_SFX.EXE; HJTSETUP.EXE;
      HJTINSTALL.EXE; OLLYDBG.EXE; NETSTAT.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; FPORT.EXE; APORTS.EXE; PAVARK.EXE; DARKSPY105.EXE;
      HELIOS.EXE; ROOTKITBUSTER.EXE; ROOTALYZER.EXE; BC5CA6A.EXE; SEEM.EXE;
      DELAYDELFILE.EXE; DUBATOOL_AV_KILLER.EXE; SUPERKILLER.EXE;
      KAKASETUPV6.EXE; BUSCAREG.EXE; MSNCLEANER.EXE; SRESTORE.EXE;
      BOOTSAFE.EXE; SUPERANTISPYWARE.EXE; CCLEANER.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; CF9409.EXE; GMER.EXE;
      CATCHME.EXE; SDFIX.EXE; COMBOFIX.EXE; SRENGPS.EXE; AUTORUNS.EXE;
      TASKKILL.EXE; REGEDIT.EXE; REG.EXE; MYPHOTOKILLER.EXE;
      KILLAUTOPLUS.EXE; FOLDERCURE.EXE; REGEDIT.SCR; REGEDIT.COM; MMC.EXE;
      TCPVIEW.EXE; LISTO.EXE; GUARD.EXE; NTVDM.EXE; COMMAND.COM;
      COMBOFIX.COM; COMBOFIX.SCR; COMBOFIX.BAT; REGMON.EXE;
      OTMOVEIT.EXEMBAM-SETUP.EXE; JAJA.EXE; AVZ.EXE; MBAM.EXE;
      MBAM-SETUP.EXE; PENCLEAN.EXE; ELISTA.EXE; HJ.EXE;
      WINDOWS-KB890930-V2.2.EXE; MRTSTUB.EXE; MRT.EXE; HIJACK-THIS.EXE;
      VIRUS.EXE; SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE;
      ATF-CLEANER.EXE; COMPAQ_PROPIETARIO.EXE; SRENGLDR.EXE; HOOKANLZ.EXE


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, February 4, 2010
Description updated by Petre Galan on Friday, February 5, 2010

Back . . . .