Home / malware Worm:Win32/Pushbot.TK
First posted on 07 September 2010.
Source: SecurityHomeAliases :
Worm:Win32/Pushbot.TK is also known as WORM_VBINJECT.AF (Trend Micro).
Explanation :
Worm:Win32/Pushbot.TK is a worm that may spread via Windows Live Messenger and/or AIM. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Top
Worm:Win32/Pushbot.TK is a worm that may spread via Windows Live Messenger and/or AIM. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker. InstallationWhen executed, Worm:Win32/Pushbot.TK copies itself to "%windir%\sontiwin.exe" and sets the attributes for this copy to read-only, hidden and system. It modifies the registry to run this copy at each Windows start: Adds value: "Ci Servs"
With data: "sontiwin.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It then launches the new copy of itself, and deletes the original. Worm:Win32/Pushbot may attempt to disguise itself as a picture or video file. As a result, it may be packaged with clean video player software updates, or display message boxes such as the following: Spreads via€¦ Instant messagingThis worm may be ordered to spread via Windows Live Messenger, Yahoo Messenger or AIM by a remote attacker using the worm's backdoor functionality (see Payload section below for additional details). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts. The filename of the .ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, Pushbot variants have often been observed masquerading as images. SkypeRecent variants of Win32/Pushbot may also be able to spread by utilizing Skype (an instant messaging application that allows users to send voice over the Internet). These Pushbot variants send keyboard and mouse events to Skype in order to open a message window to each of the user's contacts, paste in a message with a URL (presumably to a copy of Pushbot being hosted remotely), and then send the message. Removable drives
Some variants of Worm:Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys). They place themselves in the \RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 folder, along with a file named Desktop.ini, the contents of which indicate to the operating system that the folder should be displayed as a Recycle Bin. They also place an autorun.inf file in the root directory of the drive, which indicates that the copied file should be run when the drive is attached. Peer-to-Peer networking
Some variants may be ordered to spread by copying themselves to the shared directories of various Peer-To-Peer file sharing programs, using filenames such as the following:Windows Live Password reveal.exe Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com eMule-0-48a-VeryCD080902-Update.exe MsnCleaner.exe KEY-GEN Adobe PhotoShop CS3.exe KEY-GEN Kaspersky 2009.exe KEY-GEN ESET NOD32 3.0.650.exe KEY-GEN Ahead Nero 8 Ultra Edition.exe Microsoft Office 2007.exe Kaspersky 7.0 all versions.exe windows xp genuine keygen.exe windows xp activation hack 2008.exe windows xp activation hack 2007.exe Directories used may include:%ProgramFiles%\Ares\My Shared Folder\ %ProgramFiles%\Direct Connect\Received Files\ %ProgramFiles%\KMD\My Shared Folder\ %ProgramFiles%\Rapigator\Share\ %ProgramFiles%\XoloX\Downloads\ %ProgramFiles%\Tesla\Files\ %ProgramFiles%\WinMX\My Shared Folder\ %ProgramFiles%\Swaptor\Download\ %ProgramFiles%\Overnet\incoming\ %ProgramFiles%\LimeWire\Shared\ %ProgramFiles%\appleJuice\incoming\ %ProgramFiles%\Filetopia3\Files\ %ProgramFiles%\ICQ\shared files\ %ProgramFiles%\Shareaza\Downloads\ %ProgramFiles%\BearShare\Shared\ %ProgramFiles%\eMule\Incoming\ %ProgramFiles%\Gnucleus\Downloads\ %ProgramFiles%\EDONKEY2000\incoming\ %ProgramFiles%\Morpheus\My Shared Folder\ %ProgramFiles%\Grokster\My Grokster\ %ProgramFiles%\Kazaa Lite\My Shared Folder\ %ProgramFiles%\Kazaa\My Shared Folder\ \My Shared Folder\ Exploit Some variants have the ability to spread by exploiting various vulnerabilities in targeted machines upon being commanded to do so by a remote attacker. Payload Backdoor functionality: TCP port 6567Pushbot.TK attempts to connect to an IRC server at irc.metraiciono.com via TCP port 6567, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:Spread via Windows Live Messenger or AIM Halt spreading Update itself Remove itself Download and execute arbitrary files Pushbot.TK may also be able to perform one or more of the following additional activities:Spread via removable drives Spread via peer to peer networking Attempt to terminate other backdoors running on the system, by searching the memory of other running processes for particular strings Participate in Distributed Denial of Service attacks Add extra instant messaging contacts Send other messages to the user€™s contacts Redirect banking sites to a specified location Retrieve data from Windows Protected Storage. This may include auto-complete data and stored passwords from Internet Explorer, Outlook, and Windows Live Messenger Connect to websites without downloading files Return various spreading and uptime statistics Attempt to terminate particular processes by filename Perform packet sniffing on the affected system, with the intent to intercept login attempts, IRC activity and visits to possibly sensitive websites, such as PayPal Pushbot may also attempt to disable the following programs by making further modifications to the registry:msncleaner.exe avp.exe kav.esp kav.eng msconfig.exe Additional informationFor more information, please see the Win32/Pushbot family description, elsewhere in our encyclopedia.
Analysis by David WoodLast update 07 September 2010