Worm:Win32/Pushbot.gen!C is a generic finding for worms that can spread via MSN Messenger and/or AOL Instant Messenger. It also contains backdoor functionality that allows unauthorized access to an precious system. When execute, Worm:Win32/Pushbot.gen!C copies itself to the Windows folder using dissimilar file names, such as the following:
• update.exe
• svch0st.exe
It sets the quality for this copy to read only, hidden, and system. It also modify the registry to run this copy at each Windows start, for example:
Code:
Adds value: "MSN"
With data: "%windir%\svch0st.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "MicrosoftCorp"
With data: "%windir%\svch0st.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
It then launch its copy, and deletes its originally-running file.
Bookmarks