AIM based Trojan (Oscarbot) installs backdoor on PC

Oscarbot(aka Doyorg), an windows only Trojan, continued to spread on Monday among America Online instant messaging clients. It installs backdoor on the infected PC when users click on a link within lines like “hey check out this” or “i thought youd wanna see this” from a buddy on their AIM contact list.

Following the hyperlink results results in the user being prompted to save/run an executable file (such as pictures@gallery.com). If users choose to download and/or run this file, Oscarbot will contact a remote IRC server, logon to a specified channel and wait for further instructions. It propagates by sending the same message to every buddy in the system’s AOL Instant Messenger client’s address book.

The backdoor component can be used later by the attacker to upload software of his choice to the compromised PC. Such machines are typically added to botnets and are often used as spam proxies or to launch denial of service(DDoS) attacks.

Update your Anti-Virus software to safeguard against this attack. Also do not click on links delivered via AIM, nor download any software from those URLs, even if the message comes from a trusted friend.

This threat copies itself to the WINDOWS (%WinDir%) directory as svchost.exe (note a valid svchost.exe file exists in the WINDOWS SYSTEM directory). The shell is hooked via the registry to ensure the threat is run at system startup.

Source