Summary
Worm:Win32/Pushbot.BD is a worm that spreads via MSN Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
Symptoms
System Changes
The following system changes may indicate the presence of Worm:Win32/Pushbot.BD:
Presence of the following file: %windir%\svchost.exe
Presence of the following registry modification:
Adds value: "Windows Internet Manager"
With data: "svchost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Technical Information
Worm:Win32/Pushbot.BD is a worm that spreads via MSN Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
When executed, Worm:Win32/Pushbot.BD copies itself to %windir%\svchost.exe and sets the attributes of this file to read-only, hidden and system. It then modifies the registry to ensure that this copy is executed at each Windows start:
Adds value: "Windows Internet Manager"
With data: "svchost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
It also displays a message box with the title "Windows Microsoft Viewer" containing the text:
"Picture can not be displayed."
It creates a mutex named "ha7gha7g6avb12" in order to ensure that multiple copies of the worm do not run simultaneously.
Spreads Via…
MSN Messenger and AIM
Using backdoor functionality (see Payload section below for additional detail) Worm:Win32/Pushbot.BD can be ordered to spread via MSN Messenger and AIM by a remote attacker. It sends a message to all of the infected user's contacts. The message is provided by the controller via the IRC backdoor, and it has been observed to include a URL pointing to a copy of the worm executable on the domain 'www.mymsnpics.net'.
Payload
Backdoor Functionality: Port 20733
Once installed, the worm connects to IRC server 'msn.sandboxanddie.info' on port 20733 and awaits instructions. Using the backdoor, a remote attacker can perform a number of actions of the affected machine, including the following:
- Spread via MSN Messenger or AIM
- Update itself
- Remove itself
- Download and execute arbitrary files
Steps
Take the following steps to help prevent infection on your system:
- Enable a firewall on your computer.
- Get the latest computer updates.
- Use up-to-date antivirus software.
- Use caution with attachments and file transfers.
- Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
- Click Start, and click Control Panel.
- Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
- Click Change Windows Firewall Settings.
Select On. - Click OK.
To turn on the Windows Firewall in Windows Vista
- Click Start, and click Control Panel.
- Click Security.
- Click Turn Windows Firewall on or off.
Select On. - Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
- Click Start, and click Control Panel.
- Click System.
- Click Automatic Updates.
- Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Source
Quote from http://obengware.com
0 comments:
Post a Comment