New Pushbot worm variant

March 2, 2010

SonicWALL UTM Research team received reports of a new variant of Pushbot worm spreading in the wild. This worm generally spreads through MSN Messenger and includes IRC-based backdoor capability to receive instructions from remote server.

The new variant includes Yahoo Messenger as an added propagation vector and sends localized messages based on the target users system language setup.

Installation:

  • Copies itself as winmbu.exe in %windir% directory.
  • Creates a mutex (SN5JSN868L) to ensure that only one instance of the application runs in the system.

The dropped file looks like this:

screenshot

Registry Changes:

    It modifies following registry entry to ensure that the dropped copy of the malware starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: "Userinit"
    Original Data: "C:\WINDOWS\system32\userinit.exe,"
    Modified Data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\winmbu.exe,"

    Adds following registry entry to allow itself to pass through firewall restrictions:

    Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
    Value: "C:\WINDOWS\winmbu.exe"
    Data: "C:\WINDOWS\winmbu.exe:*:Enabled:Userinit"

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote IRC server to receive further instruction:
    IRC Server: buri.burimche.net
    Port: 1234/tcp

    Backdoor Functionality:

    • Spread via instant messaging
    • Update itself
    • Remove itself
    • Download and execute files

IM Propagation:
This worm checks the system language setup of the target machine to determine which localized message it will send out to all the contacts.

    Localized languages used:

    • Czech
    • Danish
    • Dutch
    • English
    • Finnish
    • French
    • German
    • Italian
    • Norwegian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Turkish

    Messages:

    • seen this?? ๐Ÿ˜€ [Malicious URL Link]
    • look at this picture ๐Ÿ˜€ [Malicious URL Link]
    • poglej to fotografijo ๐Ÿ˜€ [Malicious URL Link]
    • pogled na ovu fotografiju ๐Ÿ˜€ [Malicious URL Link]
    • min bild ๐Ÿ˜€ [Malicious URL Link]
    • foto ๐Ÿ˜€ [Malicious URL Link]
    • to fotografiu ๐Ÿ˜€ [Malicious URL Link]
    • uita-te la aceasta fotografie ๐Ÿ˜€ [Malicious URL Link]
    • kuvaa ๐Ÿ˜€ [Malicious URL Link]
    • bu resmi bakmak ๐Ÿ˜€ [Malicious URL Link]
    • olhar para esta foto ๐Ÿ˜€ [Malicious URL Link]
    • spojrzec na to zdjecie ๐Ÿ˜€ [Malicious URL Link]
    • dette bildet ๐Ÿ˜€ [Malicious URL Link]
    • pet ๐Ÿ˜€ [Malicious URL Link]
    • dette billede ๐Ÿ˜€ [Malicious URL Link]
    • vejte se na mou fotku ๐Ÿ˜€ [Malicious URL Link]
    • guardare quest'immagine ๐Ÿ˜€ [Malicious URL Link]
    • bekijk deze foto ๐Ÿ˜€ [Malicious URL Link]
    • schau mal das foto an ๐Ÿ˜€ [Malicious URL Link]
    • regardez cette photo ๐Ÿ˜€ [Malicious URL Link]

    A sample instant message sent by the worm looks like:

    screenshot

    SonicWALL Gateway AntiVirus provides protection against this worm via GAV: Pushbot.QM (Trojan) and GAV: Downloader.JMVS (Trojan) signatures.