Research belongs to fresh version of Pushbot worm - Worm:Win32/Pushbot.VR.
Dropper:
MD5: 3e50b76c0066c314d224f4fd4cbf14d5
SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0a
Infects via facebook spreading company. Detailed - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1385&start=10#p14221.
Copies itself to
C:\Documents and Settings\root\Local Settings\Application Data\random
C:\Documents and Settings\root\Start Menu\Programs\Startup\random
Runs from
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\random
List of processes for infection in memory:
msnmsgr.exe
msmsgs.exe
opera.exe
skype.exe
firefox.exe
iexplore.exe
calc.exe
jusched.exe
explorer.exe
Instructions for remove:
1. Suspend all processes in the list above for stop action of injected code.
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Dropper:
MD5: 3e50b76c0066c314d224f4fd4cbf14d5
SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0a
Infects via facebook spreading company. Detailed - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1385&start=10#p14221.
Copies itself to
C:\Documents and Settings\root\Local Settings\Application Data\random
C:\Documents and Settings\root\Start Menu\Programs\Startup\random
Runs from
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\random
List of processes for infection in memory:
msnmsgr.exe
msmsgs.exe
opera.exe
skype.exe
firefox.exe
iexplore.exe
calc.exe
jusched.exe
explorer.exe
Instructions for remove:
1. Suspend all processes in the list above for stop action of injected code.
2. Kill main module - process that always resident in memory.
3. Kill all processes that you've suspended
4. Run explorer.exe.
5. Remove main malware's module from two places.
6. Run regedit and remove autostart item.
7. Reboot.
