TSV From Australia, joined Nov 1999, 1641 posts, RR: 4 Posted (7 years 9 months 1 week 1 day 17 hours ago) and read 4199 times:
Ok the situation is one of my laptops running Panda (up to date etc etc and before people slag off at it it's been pretty good over the last three years) has detected Oscarbot.QS (which at a guess made itself at home on the laptop when I connected to a Server over the Internet or possibly through MSN Messenger) however it doesn't do anything about it - it just detects it (one instance over and over again) but doesn't disinfect it or quarantine it.
It obviously had an effect (turned off Panda and changed settings etc which were restored straight away) and is still having some effect (slowed the laptop down dramatically) so I need to do something about it.
The weird thing about it is the Panda website/Virus Encyclopedia had information on it (the .QS version that is) straight away when I went looking for it (which was apparently 2 days after it was first detected) however when I went to have another look at it the next day and subsequent days the information is not there and searching for the .QS version reveals a big fat nothing.
The other weird thing is apparently it is very rare for a Computer on a dialup to be infected with Oscarbot which adds to the evidence that it came it when I was connected to the Server (which obviously begs the question - is the bloody Server infected?).
Some recommendations I have had already are :
1. Just go and get AVG (which I have done) and install it (which I haven't done yet) and see what it can do.
2. Get Stryker or Striker or something like that as it is apparently exceptional dealing with the bot Viruses/Viri/whatever (it's late and I'm pissed off with it).
Mham001 From United States of America, joined Feb 2005, 4051 posts, RR: 3
Reply 2, posted (7 years 9 months 1 week 1 day 11 hours ago) and read 4168 times:
Win32/Oscarbot is a typical IRC Worm with Trojan functionality, the size is 40960 bytes and the worm is runtime compressed / protected by YodaProtector. The worm was programmed with Visual C++ and is able to send links to the worm executable via Messenger Services, such as AOL or MSN Messenger
Installation and Autostart Techniques
Upon execution the worm copies itself into the %System% folder as “lockbr.exe”.
The worm creates a mutex “Shd1tdtyld1feveyfd3” to avoid multiply running instances of itself on one machine.
The worm adds the following keys to the registry to make sure that it runs every time Windows is started:
Win32/Oscarbot also modifies several keys related to “AuthorizedApplications” within the firewall registry keys.
A file, “xz.bat”, is created in the System Root and contains commands to stop/disable several security related services:
@title Windows Update
SET S= Security Center
SET W=Windows Firewall/Internet Connection Sharing (ICS)
net stop "%S%"
net stop "%W%"
net stop %Q%
Win32/Oscarbot connects to the IRC Channel #K00Z-Z and sends notifications via Private Message (PRIVMSG) to the channel host. The IRC Server is hard coded as “q8l0rd.linux-dude.net”.
The worm is able to upload files to/from its host and downloaded files can be executed by this worm.
The worm uses InternetGetConnectedState function to upload and notify only when a valid internet connection exists to avoid popping up dial in dialogs.
This worm is able to send a link to the binary to online contacts in several Messenger Services, this might look as follows:
The worm is supposed to install spyware and adware on the infected machine, this is done via IRC channel driven downloads. During time of Analysis this was Adware.SmartLoad and several other TrojanDownloaders, such as Downloader.AdLoad.
Ok I had a look at their website, downloaded the trial version, uninstalled Panda, and installed NOD32.
First time I go to use it it says :
"Checking CRC of NOD32.EXE : file is corrupted, possibly due to infection."
Any suggestions as to what that is about? Should I download it again and reinstall?
However it still scanned and initially it picked up some sort of Trojan but didn't pick up the three or four that Panda picked up but didn't do anything about. So I had a look at the settings and it seemed there were a number of things it wasn't scanning - such as mail - which is where Panda was picking these three or four up (well at least in the "Messages" column). So changed the settings to everything and would you believe it picked up 2 cases of Happy99 in two .mbx files that had been archived in a folder from an old desktop I stopped using years ago. Talk about weird.
TSV From Australia, joined Nov 1999, 1641 posts, RR: 4
Reply 5, posted (7 years 9 months 20 hours ago) and read 4079 times:
Well it got worse. Obviously I didn't set it (NOD32) up correctly as some system files got infected when I on the internet including the log and system restore files and were deleted so when I turned it on again when I logged in it logged me out and when I went to system restore I couldn't do anything (also I probably forgot to mention that the CD/DVD has been on the blink intermittently/permanently for a few months now so I couldn't reinstall XP) so it's off to the aptly named "Fix my Laptop" to see what they can do. (And from all accounts they are going to put AVG on it when and if they get it going again.)