WORM_PUSHBOT.ZQ

This worm may be unknowingly downloaded by a user while visiting malicious websites. It may arrive on a system by clicking spammed malicious links on the social networking site Facebook.

It connects to certain websites to send and receive information.

Arrival Details

This worm may be unknowingly downloaded by a user while visiting malicious websites.

It may arrive on a system by clicking spammed malicious links on the social networking site Facebook.

Installation

This worm drops the following copies of itself into the affected system:

• %Application Data%\daeuks.exe
• %User Startup%\cnunw.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\AppDataLow\
tdlpmvceqfaskmyfxua\{E525B997-4A1A-425a-84B7-5D98AF7F902A}
{random} = "{malware path and file name}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
flsecjv = "%Application Data%\daeuks.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow

HKEY_CURRENT_USER\Software\AppDataLow\
tdlpmvceqfaskmyfxua

HKEY_CURRENT_USER\Software\AppDataLow\
tdlpmvceqfaskmyfxua\{E525B997-4A1A-425a-84B7-5D98AF7F902A}

Propagation

This worm sends messages that contain links to sites hosting remote copies of itself using the following instant-messaging (IM) applications:

• Skype
• MSN Messenger
• Windows Messenger

Other Details

This worm connects to the following website to send and receive information:

• {BLOCKED}la.com
• {BLOCKED}l.com
• {BLOCKED}t.com
• {BLOCKED}rt.com
• {BLOCKED}l.com
• {BLOCKED}l.com
• {BLOCKED}t.ie
• {BLOCKED}t.la
• {BLOCKED}t.to
• {BLOCKED}dress.com
• {BLOCKED}r.com
• {BLOCKED}n.ws
• {BLOCKED}ner.net
• {BLOCKED}rlink.com
• {BLOCKED}fy.wikinote.com
• {BLOCKED}inks.co.uk
• {BLOCKED}n.me
• {BLOCKED}rl.us
• {BLOCKED}t.com
• {BLOCKED}l.com
• {BLOCKED}fy.com
• {BLOCKED}matic.com
• {BLOCKED}ter.com
• {BLOCKED}t.st
• {BLOCKED}rl.com
• {BLOCKED}l.com
• {BLOCKED}l.net
• {BLOCKED}rl.com
• {BLOCKED}y.net
• {BLOCKED}e.to
• {BLOCKED}i.com
• {BLOCKED}k.com
• {BLOCKED}y.net
• {BLOCKED}rl.com
• {BLOCKED}i.li
• {BLOCKED}rl.net
• {BLOCKED}y.cc
• {BLOCKED}nk.com
• {BLOCKED}p.net
• {BLOCKED}rl.com
• {BLOCKED}j.org
• {BLOCKED}o.ly
• {BLOCKED}r.im
• {BLOCKED}a.kz
• {BLOCKED}rl.com
• {BLOCKED}m.li
• {BLOCKED}l.com
• {BLOCKED}o.us
• {BLOCKED}3.it
• {BLOCKED}i.bz
• {BLOCKED}l.at
• {BLOCKED}turl.com
• {BLOCKED}clicks.com
• {BLOCKED}pwr.com
• {BLOCKED}t.at
• {BLOCKED}l.cc

NOTES:

This worm may arrive by clicking spammed malicious links on Skype or MSN Messenger.

It is capable of setting the home page of the following browsers to point to a malicious site:

• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Opera

It may also redirect search engine queries to malicious websites.

It checks for an active Facebook session. If it finds one, it sends messages with a malicious link to the active user's contacts. The said link points to a remote URL where a copy of the worm may be downloaded. It may also post similar content to Facebook wall.

In order to accomplish its malicious routines, it downloads a configuration file from any of the URLs in the list above using the following HTTP request:

• http://{shortened URL}/query.php

It then parses the configuration file, which contains the following information:

• A message and a malicious link that will be posted on Facebook wall
• A remote malicious site which will be used as the default browser homepage
• A remote site where the malware may download other possibly malicious file(s)
• Messages and malicious links that will be sent to the user's contacts on Facebook, MSN Messenger, and Skype or posted to the user's Facebook wall

It also accesses the following site which replies with a URL link:

• http://{shortened URL}/ucheck.php

It then connects to the downloaded link via the default browser.