W32/Oscabot-I is an instant messaging worm that can exploit users of AOL Instant Messaging clients.
W32/Oscabot-I connects to a specific channel on an IRC service and waits for a remote attacker to instruct the bot to send messages to contacts in the infected user's AOL contacts list. The message will read:
'hehe :) i found this funny movie'
The word "this" is a link to the W32/Oscabot-I executable on the infected computer.
When run W32/Oscabot-I moves itself to the Windows folder as a read-only, hidden, system file named inisys.exe.
W32/Oscabot-I then creates the following registry entries to run itself on user logon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
MMC
MMC.exe <Windows folder>\inisys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MMC
<Windows folder>\inisys.exe
W32/Oscabot-I also creates the following entry in <Windows folder>\wiadebug.log:
[Winlogon]
MMC = MMC.exe <Windows folder>\inisys.exe
W32/Oscabot-I also attempts to download files from a remote website and run them when instructed to do so by the remote attacker.