Topic Author
Posts: 1604
Joined: Wed Nov 03, 1999 12:13 pm

Another (Virus) Question For The Computer X-Sperts

Thu Nov 01, 2007 5:44 pm

Ok the situation is one of my laptops running Panda (up to date etc etc and before people slag off at it it's been pretty good over the last three years) has detected Oscarbot.QS (which at a guess made itself at home on the laptop when I connected to a Server over the Internet or possibly through MSN Messenger) however it doesn't do anything about it - it just detects it (one instance over and over again) but doesn't disinfect it or quarantine it.

It obviously had an effect (turned off Panda and changed settings etc which were restored straight away) and is still having some effect (slowed the laptop down dramatically) so I need to do something about it.

The weird thing about it is the Panda website/Virus Encyclopedia had information on it (the .QS version that is) straight away when I went looking for it (which was apparently 2 days after it was first detected) however when I went to have another look at it the next day and subsequent days the information is not there and searching for the .QS version reveals a big fat nothing.

The other weird thing is apparently it is very rare for a Computer on a dialup to be infected with Oscarbot which adds to the evidence that it came it when I was connected to the Server (which obviously begs the question - is the bloody Server infected?).

Some recommendations I have had already are :
1. Just go and get AVG (which I have done) and install it (which I haven't done yet) and see what it can do.
2. Get Stryker or Striker or something like that as it is apparently exceptional dealing with the bot Viruses/Viri/whatever (it's late and I'm pissed off with it).

Bring on the bright ideas people ...
"I told you I was ill ..." Spike Milligan
Posts: 4164
Joined: Tue Feb 21, 2006 5:17 am

RE: Another (Virus) Question For The Computer X-Sperts

Thu Nov 01, 2007 5:54 pm

ESET NOD32 will take care of it in an instant.
Delivering Anecdotes of Dubious Relevance Since 1978
Posts: 4310
Joined: Thu Feb 03, 2005 4:52 am

RE: Another (Virus) Question For The Computer X-Sperts

Thu Nov 01, 2007 11:16 pm

Win32/Oscarbot is a typical IRC Worm with Trojan functionality, the size is 40960 bytes and the worm is runtime compressed / protected by YodaProtector. The worm was programmed with Visual C++ and is able to send links to the worm executable via Messenger Services, such as AOL or MSN Messenger

Installation and Autostart Techniques

Upon execution the worm copies itself into the %System% folder as “lockbr.exe”.

The worm creates a mutex “Shd1tdtyld1feveyfd3” to avoid multiply running instances of itself on one machine.

The worm adds the following keys to the registry to make sure that it runs every time Windows is started:

“freexstyle” = “lockbr.exe”

“freexstyle” = “lockbr.exe”

“freexstyle” = “lockbr.exe”

It also modifies the following registry keys:

"EnableFirewall" = "0"

Win32/Oscarbot also modifies several keys related to “AuthorizedApplications” within the firewall registry keys.

A file, “xz.bat”, is created in the System Root and contains commands to stop/disable several security related services:

@echo off
@title Windows Update
SET S= Security Center
SET W=Windows Firewall/Internet Connection Sharing (ICS)
SET Q=SharedAccess
net stop "%S%"
net stop "%W%"
net stop %Q%

Win32/Oscarbot connects to the IRC Channel #K00Z-Z and sends notifications via Private Message (PRIVMSG) to the channel host. The IRC Server is hard coded as “q8l0rd.linux-dude.net”.

The worm is able to upload files to/from its host and downloaded files can be executed by this worm.

The worm uses InternetGetConnectedState function to upload and notify only when a valid internet connection exists to avoid popping up dial in dialogs.

Other details:

This worm is able to send a link to the binary to online contacts in several Messenger Services, this might look as follows:

The worm is supposed to install spyware and adware on the infected machine, this is done via IRC channel driven downloads. During time of Analysis this was Adware.SmartLoad and several other TrojanDownloaders, such as Downloader.AdLoad.

This threat was detected heuristically.
David L
Posts: 8552
Joined: Tue May 18, 1999 2:26 am

RE: Another (Virus) Question For The Computer X-Sperts

Thu Nov 01, 2007 11:52 pm

Quoting Mham001 (Reply 2):

Credit where credit's due:


Topic Author
Posts: 1604
Joined: Wed Nov 03, 1999 12:13 pm

RE: Another (Virus) Question For The Computer X-Sperts

Mon Nov 05, 2007 2:44 am

Ok after an horrific weekend where every html file got infected with Mefir.C I really had to get serious about something else.

Went to install Mozilla however found that the download wasn't complete and even after two more attempts it still wouldn't download properly.

So had to try another alternative.

Quoting IFEMaster (Reply 1):
ESET NOD32 will take care of it in an instant.

Ok I had a look at their website, downloaded the trial version, uninstalled Panda, and installed NOD32.

First time I go to use it it says :

"Checking CRC of NOD32.EXE : file is corrupted, possibly due to infection."

Any suggestions as to what that is about? Should I download it again and reinstall?

However it still scanned and initially it picked up some sort of Trojan but didn't pick up the three or four that Panda picked up but didn't do anything about. So I had a look at the settings and it seemed there were a number of things it wasn't scanning - such as mail - which is where Panda was picking these three or four up (well at least in the "Messages" column). So changed the settings to everything and would you believe it picked up 2 cases of Happy99 in two .mbx files that had been archived in a folder from an old desktop I stopped using years ago. Talk about weird.

Going to scan it again just to be sure.
"I told you I was ill ..." Spike Milligan
Topic Author
Posts: 1604
Joined: Wed Nov 03, 1999 12:13 pm

RE: Another (Virus) Question For The Computer X-Sperts

Fri Nov 09, 2007 2:20 pm

Well it got worse. Obviously I didn't set it (NOD32) up correctly as some system files got infected when I on the internet including the log and system restore files and were deleted so when I turned it on again when I logged in it logged me out and when I went to system restore I couldn't do anything (also I probably forgot to mention that the CD/DVD has been on the blink intermittently/permanently for a few months now so I couldn't reinstall XP) so it's off to the aptly named "Fix my Laptop" to see what they can do. (And from all accounts they are going to put AVG on it when and if they get it going again.)
"I told you I was ill ..." Spike Milligan

Who is online

Users browsing this forum: jpetekyxmd80, N14AZ, PacificBeach88, petertenthije, Scorpio, Teganuma and 17 guests