Sophos

W32/Oscabot-E

Aliases
  • W32/Sdbot.worm.gen.bh
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 16 May 2005 18:52:36 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Manager
<Windows folder>\msgs.exe

and delete it if it exists.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.

Close the registry editor.

More Information

W32/Oscabot-E is an instant messaging worm that can exploit users of AOL Instant Messaging clients.

W32/Oscabot-E connects to a specific channel on an IRC service and waits for an attacker to instruct the bot to send messages to contacts in the infected user's AOL contacts list. The message will read:

"check this out, is that you?". W32/Oscabot-E is an instant messaging worm that can exploit users of AOL Instant Messaging clients.

W32/Oscabot-E connects to a specific channel on an IRC service and waits for an attacker to instruct the bot to send messages to contacts in the infected user's AOL contacts list. The message will read:

"check this out, is that you?".

The word "this" is a link to the W32/Oscabot-E executable on the infected computer.

When first run W32/Oscabot-E moves itself to the Windows folder as msgs.exe.

The following registry entries are created or modified:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Manager
<Windows folder>\msgs.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows folder>\userint32.exe

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer