Sponsor Message:
Non Aviation Forum
My Starred Topics | Profile | New Topic | Forum Index | Help | Search 
Another (Virus) Question For The Computer X-Sperts  
User currently offlineTSV From Australia, joined Nov 1999, 1641 posts, RR: 5
Posted (6 years 5 months 3 weeks 4 days ago) and read 3528 times:

Ok the situation is one of my laptops running Panda (up to date etc etc and before people slag off at it it's been pretty good over the last three years) has detected Oscarbot.QS (which at a guess made itself at home on the laptop when I connected to a Server over the Internet or possibly through MSN Messenger) however it doesn't do anything about it - it just detects it (one instance over and over again) but doesn't disinfect it or quarantine it.

It obviously had an effect (turned off Panda and changed settings etc which were restored straight away) and is still having some effect (slowed the laptop down dramatically) so I need to do something about it.

The weird thing about it is the Panda website/Virus Encyclopedia had information on it (the .QS version that is) straight away when I went looking for it (which was apparently 2 days after it was first detected) however when I went to have another look at it the next day and subsequent days the information is not there and searching for the .QS version reveals a big fat nothing.

The other weird thing is apparently it is very rare for a Computer on a dialup to be infected with Oscarbot which adds to the evidence that it came it when I was connected to the Server (which obviously begs the question - is the bloody Server infected?).

Some recommendations I have had already are :
1. Just go and get AVG (which I have done) and install it (which I haven't done yet) and see what it can do.
and
2. Get Stryker or Striker or something like that as it is apparently exceptional dealing with the bot Viruses/Viri/whatever (it's late and I'm pissed off with it).





Bring on the bright ideas people ...


"I told you I was ill ..." Spike Milligan
5 replies: All unread, jump to last
 
User currently offlineIFEMaster From , joined Dec 1969, posts, RR:
Reply 1, posted (6 years 5 months 3 weeks 4 days ago) and read 3523 times:

ESET NOD32 will take care of it in an instant.

User currently offlineMham001 From United States of America, joined Feb 2005, 3389 posts, RR: 2
Reply 2, posted (6 years 5 months 3 weeks 3 days 19 hours ago) and read 3497 times:

Win32/Oscarbot is a typical IRC Worm with Trojan functionality, the size is 40960 bytes and the worm is runtime compressed / protected by YodaProtector. The worm was programmed with Visual C++ and is able to send links to the worm executable via Messenger Services, such as AOL or MSN Messenger

Installation and Autostart Techniques

Upon execution the worm copies itself into the %System% folder as “lockbr.exe”.

The worm creates a mutex “Shd1tdtyld1feveyfd3” to avoid multiply running instances of itself on one machine.

The worm adds the following keys to the registry to make sure that it runs every time Windows is started:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
“freexstyle” = “lockbr.exe”

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
“freexstyle” = “lockbr.exe”

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
“freexstyle” = “lockbr.exe”

It also modifies the following registry keys:

HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
"EnableFirewall" = "0"

Win32/Oscarbot also modifies several keys related to “AuthorizedApplications” within the firewall registry keys.

A file, “xz.bat”, is created in the System Root and contains commands to stop/disable several security related services:

@echo off
@title Windows Update
SET S= Security Center
SET W=Windows Firewall/Internet Connection Sharing (ICS)
SET Q=SharedAccess
net stop "%S%"
net stop "%W%"
net stop %Q%

Win32/Oscarbot connects to the IRC Channel #K00Z-Z and sends notifications via Private Message (PRIVMSG) to the channel host. The IRC Server is hard coded as “q8l0rd.linux-dude.net”.

The worm is able to upload files to/from its host and downloaded files can be executed by this worm.

The worm uses InternetGetConnectedState function to upload and notify only when a valid internet connection exists to avoid popping up dial in dialogs.

Other details:

This worm is able to send a link to the binary to online contacts in several Messenger Services, this might look as follows:

The worm is supposed to install spyware and adware on the infected machine, this is done via IRC channel driven downloads. During time of Analysis this was Adware.SmartLoad and several other TrojanDownloaders, such as Downloader.AdLoad.

This threat was detected heuristically.


User currently offlineDavid L From United Kingdom, joined May 1999, 9487 posts, RR: 42
Reply 3, posted (6 years 5 months 3 weeks 3 days 18 hours ago) and read 3491 times:

Quoting Mham001 (Reply 2):

Credit where credit's due:

http://www.eset.com/msgs/oscarbot.htm

 Smile


User currently offlineTSV From Australia, joined Nov 1999, 1641 posts, RR: 5
Reply 4, posted (6 years 5 months 3 weeks 16 hours ago) and read 3444 times:

Ok after an horrific weekend where every html file got infected with Mefir.C I really had to get serious about something else.

Went to install Mozilla however found that the download wasn't complete and even after two more attempts it still wouldn't download properly.

So had to try another alternative.

Quoting IFEMaster (Reply 1):
ESET NOD32 will take care of it in an instant.

Ok I had a look at their website, downloaded the trial version, uninstalled Panda, and installed NOD32.

First time I go to use it it says :

"Checking CRC of NOD32.EXE : file is corrupted, possibly due to infection."

Any suggestions as to what that is about? Should I download it again and reinstall?

However it still scanned and initially it picked up some sort of Trojan but didn't pick up the three or four that Panda picked up but didn't do anything about. So I had a look at the settings and it seemed there were a number of things it wasn't scanning - such as mail - which is where Panda was picking these three or four up (well at least in the "Messages" column). So changed the settings to everything and would you believe it picked up 2 cases of Happy99 in two .mbx files that had been archived in a folder from an old desktop I stopped using years ago. Talk about weird.

Going to scan it again just to be sure.



"I told you I was ill ..." Spike Milligan
User currently offlineTSV From Australia, joined Nov 1999, 1641 posts, RR: 5
Reply 5, posted (6 years 5 months 2 weeks 3 days 4 hours ago) and read 3408 times:

Well it got worse. Obviously I didn't set it (NOD32) up correctly as some system files got infected when I on the internet including the log and system restore files and were deleted so when I turned it on again when I logged in it logged me out and when I went to system restore I couldn't do anything (also I probably forgot to mention that the CD/DVD has been on the blink intermittently/permanently for a few months now so I couldn't reinstall XP) so it's off to the aptly named "Fix my Laptop" to see what they can do. (And from all accounts they are going to put AVG on it when and if they get it going again.)


"I told you I was ill ..." Spike Milligan
Top Of Page
Forum Index

This topic is archived and can not be replied to any more.

Printer friendly format

Similar topics:More similar topics...
A Question For The English.... posted Sun Oct 14 2007 14:30:48 by GKirk
A Simple Question For The American Readers posted Wed Oct 10 2007 05:42:57 by Farcry
Question For The Brits - 80's Singers posted Sat May 12 2007 07:45:02 by Diamond
A Question For The Family Guy Fans posted Tue May 1 2007 20:40:01 by CaptOveur
Question For The French posted Wed Feb 7 2007 15:15:08 by Dougloid
Bush Wants Another $245 Billion For The Wars posted Fri Feb 2 2007 20:58:34 by Falcon84
Question For The Webmaster/developers Re Wikipedia posted Tue Jan 16 2007 04:16:28 by RobK
Question For The Unemployed, Retired Or Wealthy posted Wed Dec 6 2006 09:38:07 by B737-112
A Question For The Anti-Bush Crowd: Re: Privacy posted Mon Nov 6 2006 00:25:44 by Matt D
A Question For The Hackers... posted Fri Oct 27 2006 20:18:21 by Bushpilot