Virus:Worm/Pushbot.NR.1
Date discovered:13/10/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:75.776 Bytes
MD5 checksum:bcae72a511b2c005dbd46b96345f2bc2
IVDF version:7.01.06.104 - Tuesday, October 13, 2009

 General Method of propagation:
   • Autorun feature
   • Messenger
   • Peer to Peer


Aliases:
   •  Panda: W32/MSNWorm.HI
   •  Eset: Win32/AutoRun.IRCBot.CX
   •  Bitdefender: Trojan.Generic.2522251


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification
   • Third party control
Can be used by rogue users or malware to lower security settings.

 Files It copies itself to the following locations:
   • %WINDIR%\livemessenger.com
   • %drive%\RECYCLER\%CLSID%\usb.exe



The following files are created:

%drive%\RECYCLER\%CLSID%\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download some files:

– The location is the following:
   • http://browseusers.myspace.com/Browse/**********


– The location is the following:
   • http://www.messengermsnimages.net/yah/**********

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Update"="livemessenger.com"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Update"="livemessenger.com"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%executed file%"="%executed file%:*:Enabled:Microsoft
      Update"

 P2P It searches for the following directories:
   • %PROGRAM FILES%\winmx\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa\my shared folder\

   If successful, the following files are created:
   • DivX 5.0 Pro KeyGen.exe; Counter-Strike KeyGen.exe; IP Nuker.exe;
      Website Hacker.exe; Keylogger.exe; AOL Password Cracker.exe; ICQ
      Hacker.exe; AOL Instant Messenger (AIM) Hacker.exe; MSN Password
      Cracker.exe; Microsoft Visual Studio KeyGen.exe; Microsoft Visual
      Basic KeyGen.exe; Microsoft Visual C++ KeyGen.exe; Sub7 2.3
      Private.exe; sdbot with NetBIOS Spread.exe; L0pht 4.0 Windows Password
      Cracker.exe; Windows Password Cracker.exe; NetBIOS Cracker.exe;
      NetBIOS Hacker.exe; DCOM Exploit.exe; Norton Anti-Virus 2005
      Enterprise Crack.exe; Hotmail Cracker.exe; Hotmail Hacker.exe; Brutus
      FTP Cracker.exe; FTP Cracker.exe; Password Cracker.exe; Half-Life 2
      Downloader.exe; UT 2003 KeyGen.exe; Windows 2003 Advanced Server
      KeyGen.exe


 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– MSN Messenger
– Yahoo Messenger


Message

   • Schauen Sie dieses Bild an %executed file%
     Look at this picture %executed file%
     mire este retrato %executed file%
     regarder cette image %executed file%
     guardare quest'immagine %executed file%
     Seen this? :D %executed file%

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: update.xx**********.com
Channel: #!m!
Nickname: [USA|XP|%number%]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, March 11, 2010
Description updated by Petre Galan on Monday, March 15, 2010

Back . . . .