W32/Oscabot-C

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Service Manager
<WINDOWS>\userint32.exe

and delete it if it exists.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.

Close the registry editor.

W32/Oscabot-C is an instant messaging worm that can exploit users of AOL Instant Messaging clients.

W32/Oscabot-C connects to a specific channel on an IRC service and waits for an attacker to instruct the bot to send messages to contacts in the infected users AOL contacts list. The message reads "this was cool, check it out", where the word "this" is a link to the W32/Oscabot-C executable on the infected computer.

When first run W32/Oscabot-C copies itself to <WINDOWS>\userint32.exe.

The following registry entries are created to run userint32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Service Manager
<WINDOWS>\userint32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <WINDOWS>\userint32.exe