New Pushbot worm variant (Mar 2, 2010)

By

SonicWALL UTM Research team received reports of a new variant of Pushbot worm spreading in the wild. This worm generally spreads through MSN Messenger and includes IRC-based backdoor capability to receive instructions from remote server.

The new variant includes Yahoo Messenger as an added propagation vector and sends localized messages based on the target users system language setup.

Installation:

  • Copies itself as winmbu.exe in %windir% directory.
  • Creates a mutex (SN5JSN868L) to ensure that only one instance of the application runs in the system.

The dropped file looks like this:

screenshot

Registry Changes:

    It modifies following registry entry to ensure that the dropped copy of the malware starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Value: “Userinit”
    Original Data: “C:\WINDOWS\system32\userinit.exe,”
    Modified Data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\winmbu.exe,”

    Adds following registry entry to allow itself to pass through firewall restrictions:

    Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:\WINDOWS\winmbu.exe”
    Data: “C:\WINDOWS\winmbu.exe:*:Enabled:Userinit”

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote IRC server to receive further instruction:
    IRC Server: buri.burimche.net
    Port: 1234/tcp

    Backdoor Functionality:

    • Spread via instant messaging
    • Update itself
    • Remove itself
    • Download and execute files

IM Propagation:
This worm checks the system language setup of the target machine to determine which localized message it will send out to all the contacts.

    Localized languages used:

    • Czech
    • Danish
    • Dutch
    • English
    • Finnish
    • French
    • German
    • Italian
    • Norwegian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Turkish

    Messages:

    • seen this?? 😀 [Malicious URL Link]
    • look at this picture 😀 [Malicious URL Link]
    • poglej to fotografijo 😀 [Malicious URL Link]
    • pogled na ovu fotografiju 😀 [Malicious URL Link]
    • min bild 😀 [Malicious URL Link]
    • foto 😀 [Malicious URL Link]
    • to fotografiu 😀 [Malicious URL Link]
    • uita-te la aceasta fotografie 😀 [Malicious URL Link]
    • kuvaa 😀 [Malicious URL Link]
    • bu resmi bakmak 😀 [Malicious URL Link]
    • olhar para esta foto 😀 [Malicious URL Link]
    • spojrzec na to zdjecie 😀 [Malicious URL Link]
    • dette bildet 😀 [Malicious URL Link]
    • pet 😀 [Malicious URL Link]
    • dette billede 😀 [Malicious URL Link]
    • vejte se na mou fotku 😀 [Malicious URL Link]
    • guardare quest’immagine 😀 [Malicious URL Link]
    • bekijk deze foto 😀 [Malicious URL Link]
    • schau mal das foto an 😀 [Malicious URL Link]
    • regardez cette photo 😀 [Malicious URL Link]

    A sample instant message sent by the worm looks like:

    screenshot

    SonicWALL Gateway AntiVirus provides protection against this worm via GAV: Pushbot.QM (Trojan) and GAV: Downloader.JMVS (Trojan) signatures.

    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.