Active Scan. Scan your PC free
Premium Services
Premium Services

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


Oscarbot.YQ displays annoying messages when users are browsing through the Internet Explorer, so that users access websites that advertise different pay services. Although users close these messages, they will be displayed after a while.

Oscarbot.YQ carries out the following actions:

  • It reaches the computer in a file with the name imagFaceBook, passing itself off as an image when it is actually an executable file:

    File in which Oscarbot.YQ reaches the computer
  • When it is run, the Internet Explorer browser is opened and the legitimate website of myspace is displayed in order to distract users:

    Legitimate myspace website
  • If users try to close the browser or open a new website, a message like the following will be displayed:

    Message displayed by Oscarbot.YQ
  • Users are required to make a survey in order to access certain content.
  • If users click on the "Aceptar" button, the browser will be closed or another website will be opened.
  • If users click the "Cancelar" button, they will be accepting to make the survey and a message like the following will be displayed:

    Survey displayed by Oscarbot.YQ
  • Each option points to a different website depending on the users' choice, as can be seen in the image below:

    Webistes to which the different options of the survey point
  • If users follow any of these links, they will be redirected to websites in which different pay services are offered.
  • If, on the contrary, they do not follow any link, the following message will be displayed:

    Menssage display if no option is selected
  • Whe users access certain websites, like for example Facebook's, a message like the following is displayed:

    Message displayed in the Facebook website
  • Additionally, it carries out these other actions:
    - It adds itself to the list of applications authorized by the Windows firewall, in order to avoid being blocked.
    - It stops the Windows Update service, so that the Windows automatic updates are not downloaded.
    - It leaves an open port with a connection to a certain website in order to receive commands.

Infection strategy 

Oscarbot.YQ creates the following files in the Windows directory:

  • JUSCHED.EXE, which is a copy of the worm.
  • MDLL.DL. It is a data file which contains information about the websites with which it connects.
  • WINTYBRD.PNG and WINTYBRDF.JPG, which belongs to the messages Human Confirmation! displayed by the worm.


Oscarbot.YQ creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Java developer Script Browse = %windir%\jusched.exe

    where %windir% is the Windows directory.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Java developer Script Browse = %windir%\jusched.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
    Java developer Script Browse = %windir%\jusched.exe
    By creating these entries, Oscarbot.YQ ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    %path%\imagFaceBook.exe = %windir%\jusched.exe:*:Enabled:Java developer Script Browse
    where %path% belongs to the path in which users have run the original file.
    By creating this entry, it adds itself to the list of applications authorized by the Windows firewall, in order to avoid being blocked.

Means of transmission 

Oscarbot.YQ spreads sending meesages that point to the download of the worm via instant messaging programs like Yahoo! Messenger and via the Skype.

Further Details  

Oscarbot.YQ is 86,016 bytes in size.