Home / malwarePDF  

Worm:Win32/Pushbot.VR


First posted on 31 July 2012.
Source: Microsoft

Aliases :

Worm:Win32/Pushbot.VR is also known as Worm.Win32.Pushbot (Ikarus).

Explanation :



Worm:Win32/Pushbot.VR is a worm that may spread through Facebook, MSN Messenger and Skype by posting links that may lead you to download this malware. It is a variant of the Worm:Win32/Pushbot family.



Installation

When run, Worm:Win32/Pushbot.VR copies itself to the following folders:

  • %APPDATA%\<random name>.exe (for example, "exuhoq.exe") - this location assists in the registry modification that ensures the copy runs at each Windows start
  • <startup folder>\<random name>.exe (for example, "ankcw.exe") - this location ensures the copy runs at each Windows start


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 2000, XP, and 2003 is "C:\Documents and Seeings\<user>\Start Menu\Programs\Startup". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup".

The malware modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\windows\currentversion\run
Sets value: "<random string>" (for example, "dljscag")
With data: "%APPDATA%\<random name>.exe" (for example, "exuhoq.exe")

When Worm:Win32/Pushbot.VR runs, it may inject code into running processes, including the following:

  • calc.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • jusched.exe
  • msmsgs.exe
  • msnmsgr.exe
  • opera.exe
  • skype.exe
The worm does this in order to hinder detection and removal. Spreads via...

Social networks

Worm:Win32/Pushbot.VR checks for Facebook cookies on your computer which, together with its backdoor functionality, it uses to post messages on your own wall as well as the walls of your friends. The post may contain a link and a message. If your friend clicks the link, they will end up downloading a copy of the worm.

If the worm is unable to find any Facebook cookies, it wil continue with the rest of its spreading functions and payload.

Note: The content of the posts that are used for spreading are generated when the malware contacts its C&C (command and control) server. Unfortunately, the malware servers on our samples are now inaccessible and we are unable to provide examples of the posts.

MSN Messenger and Skype

Using backdoor functionality, Worm:Win32/Pushbot.VR can be ordered to spread via MSN Messenger or Skype by a remote attacker. It sends a message to your contacts which can contain links pointing to a remotely hosted copy of itself. The message may be provided from the controller via the backdoor. See the Payload section in this entry for more information on backdoor functionality.

Note: The links and messages that are sent for spreading are generated when the malware contacts its C&C server. Unfortunately, the malware servers on our samples are now inaccessible and we are unable to provide examples of the messages.



Payload

Backdoor functionality

Worm:Win32/Pushbot.VR contacts its C&C (command and control) server via an HTTP POST command. An HTTP POST command is a type of basic communication between your computer and a website.

The HTTP POST command has the following format:

  • hxxp://<Malware Server>/query.php
  • hxxp://<Malware Server>/ucheck.php


In the wild we have observed that <Malware Server> could be any of the following:

  • lilipala.com
  • liltinti.com
  • pralala.com
  • roboticamars.com
  • shorturli.com
  • shorturli.net
  • shorturli.org
  • tintiurl.com
  • tintiurl.net
  • tintiurl.org


To perform its backdoor routines, the malware sends the following information about your computer to the server:

  • Your computer's IP address
  • Your operating system version
  • The volume information of your hard disks
  • The current homepage of your web browser
  • The default web browser on your computer


Once the data is sent, the server replies with an encrypted configuration that performs the following actions:

  • Downloads arbitrary files
  • Changes the homepage of the following Internet browsers:
    • Internet Explorer
    • Firefox
    • Chrome
    • Opera
  • Obtains the malicious links that it sends as part of its spreading routine


Contacts remote hosts

Worm:Win32/Pushbot.VR may contact the following remote hosts via a regular HTTP connection:

s3dl.com
s3nt.com
sh0rt.com
shiturl.com
shorl.com
short.ie
short.la
short.to
shortadress.com
shortar.com
shorten.ws
shortener.net
shorterlink.com
shortify.wikinote.com
shortlinks.co.uk
shortn.me
shoturl.us
shoxt.com
shredurl.com
shrinkify.com
shrinkomatic.com
shrinkster.com
shrt.st
shrunkurl.com
shrvl.com
shurl.net
shuurl.com
t1ny.net
takeme.to
thinfi.com
thnlnk.com
thurly.net
tighturl.com
tii.li
tiny.cc
tinylink.com
tinyup.net
tinyurl.com
tnij.org
to.ly
tr.im
tra.kz
traceurl.com
trim.li
tubeurl.com
turo.us
tw3.it
twi.bz
twirl.at
twisturl.com
twitclicks.com
twitpwr.com
twitt.at
twurl.cc

Commonly, malware may contact a remote host for the following purposes:

  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instructions from a remote attacker
  • To upload data taken from the affected computer


The malware may also display advertisements to the user.

Additional information

Worm:Win32/Pushbot.VR allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Worm:Win32/Pushbot.VR. This could include, but is not limited to, the following actions:

  • Downloading and running arbitrary files
  • Uploading files
  • Spreading the worm to other computers using various methods of propagation
  • Logging keystrokes or stealing sensitive data
  • Modifying system settings
  • Running or terminating applications
  • Deleting files


Worm:Win32/Pushbot.VR may add the following registry key:

HKCU\Software\AppDataLow\<random string> (for example, "ubccqtpjrioajkqrnyl")

The malware may do this to check if your computer is not already infected, or it may be related to the operation of the backdoor functionality.

Worm:Win32/Pushbot.VR creates any of the following mutex names to ensure that only one copy is running on the infected computer:

  • C7D35FE1-E3DE-4CCC-9713-F7430EBBE57B-105
  • DEE2ECDD-B4E7-4259-8FE9-F2CE5B2CEB9C
  • 5AFC5A39-AA03-424d-8917-BC95C3FA9C5B
Related encyclopedia entries

Worm:Win32/Pushbot



Analysis by Edgardo Diaz

Last update 31 July 2012

 

TOP

Malware :

Family: