high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 31 May 2005 20:59:18 (GMT) |
| Last updated | 18 June 2005 15:51:06 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Oscabot-I is an instant messaging worm that can exploit users of AOL Instant Messaging clients.
W32/Oscabot-I connects to a specific channel on an IRC service and waits for a remote attacker to instruct the bot to send messages to contacts in the infected user's AOL contacts list. The message will read:
'hehe :) i found this funny movie'
The word "this" is a link to the W32/Oscabot-I executable on the infected computer.
When run W32/Oscabot-I moves itself to the Windows folder as a read-only, hidden, system file named inisys.exe.
W32/Oscabot-I then creates the following registry entries to run itself on user logon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
MMC
MMC.exe <Windows folder>\inisys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MMC
<Windows folder>\inisys.exe
W32/Oscabot-I also creates the following entry in <Windows folder>\wiadebug.log:
[Winlogon]
MMC = MMC.exe <Windows folder>\inisys.exe
W32/Oscabot-I also attempts to download files from a remote website and run them when instructed to do so by the remote attacker.
|
