PushDo Trojan is a downloader trojan responsible for downloading its spam counterpart and other malicious Trojans. Since its beginning, it has evolved into many different versions and in this blog post, we will make a deeper analysis of it.

This indicates the detection of network traffic that may be generated by the W32/Pushdo virus.
W32/Pushdo is a malicious program that acts as a trojan downloader. Its main purpose is to download a wide variety of malicious content and to disclose some system information to a remote controller.

PushDo Trojan often comes along with a packer, which will unpack code in a separate process. As long as the malware is always injected in a separate process, the unpacked file begins with repairing all IAT entries needed for correcting Windows API resolution.

 Pushdo is usually classified as a “downloader” trojan – meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80 and pretends to be an Apache webserver.

The malware to be downloaded by Pushdo depends on the value following the “s-underscore” part of the URL. The Pushdo controller is preloaded with multiple executable files – the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country or provides the ability to target a specific country or countries with a specific payload.

Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number (obtained by SMART_RCV_DRIVE_DATA IO control code), whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version as returned by the GetVersionEx API call.


Endpoints are the target of this malware. Infection means complete compromise of the target system, which may lead to exposure of confidential information, loss of productivity, and further network compromise. Pushdo is a botnet primarily used for spamming. Recently it has been observed launching Distributed Denial of Service (DDoS) attacks against certain well-known SSL-enabled websites. The Pushdo malware is also known as Pandex and some components are known as Cutwail.

For more cybersecurity information contact on help@theweborion.com