Oscarbot.YQ
Threat LevelDamageDistribution

Effects 

Oscarbot.YQ displays annoying messages when users are browsing through the Internet Explorer, so that users access websites that advertise different pay services. Although users close these messages, they will be displayed after a while.

Oscarbot.YQ carries out the following actions:

• It reaches the computer in a file with the name imagFaceBook, passing itself off as an image when it is actually an executable file:
  
  
• When it is run, the Internet Explorer browser is opened and the legitimate website of myspace is displayed in order to distract users:
  
  
• If users try to close the browser or open a new website, a message like the following will be displayed:
  
  
• Users are required to make a survey in order to access certain content.
• If users click on the "Aceptar" button, the browser will be closed or another website will be opened.
• If users click the "Cancelar" button, they will be accepting to make the survey and a message like the following will be displayed:
  
  
• Each option points to a different website depending on the users' choice, as can be seen in the image below:
  
  
• If users follow any of these links, they will be redirected to websites in which different pay services are offered.
• If, on the contrary, they do not follow any link, the following message will be displayed:
  
  
• Whe users access certain websites, like for example Facebook's, a message like the following is displayed:
  
  
• Additionally, it carries out these other actions:
  - It adds itself to the list of applications authorized by the Windows firewall, in order to avoid being blocked.
  - It stops the Windows Update service, so that the Windows automatic updates are not downloaded.
  - It leaves an open port with a connection to a certain website in order to receive commands.

Infection strategy 

Oscarbot.YQ creates the following files in the Windows directory:

• JUSCHED.EXE, which is a copy of the worm.
• MDLL.DL. It is a data file which contains information about the websites with which it connects.
• WINTYBRD.PNG and WINTYBRDF.JPG, which belongs to the messages Human Confirmation! displayed by the worm.

Oscarbot.YQ creates the following entries in the Windows Registry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  Java developer Script Browse = %windir%\jusched.exe
  where %windir% is the Windows directory.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Java developer Script Browse = %windir%\jusched.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
  Java developer Script Browse = %windir%\jusched.exe
  By creating these entries, Oscarbot.YQ ensures that it is run whenever Windows is started.
• HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
  %path%\imagFaceBook.exe = %windir%\jusched.exe:*:Enabled:Java developer Script Browse
  where %path% belongs to the path in which users have run the original file.
  By creating this entry, it adds itself to the list of applications authorized by the Windows firewall, in order to avoid being blocked.

Means of transmission 

Oscarbot.YQ spreads sending meesages that point to the download of the worm via instant messaging programs like Yahoo! Messenger and via the Skype.

Further Details  

Oscarbot.YQ is 86,016 bytes in size.