A variant of the Oscarbot worm, namely Oscarbot.KD is the first malware to exploit the vulnerability MS06-040. The security patch for this vulnerability was released last week by Microsoft.

The worm was detected yesterday. Its main characteristics are:

- File name: wgareg.exe or wgavm.exe.
- File size: 9,609 bytes (wgareg.exe) or 9,374 bytes (wgavm.exe).
- It is packed with Mew, and its code is encrypted using a 1-byte XOR
mask.

Oscarbot.KD spreads across network shared resources, instant messaging programs and by exploiting vulnerabilities.

It creates a service called wgareg, in order to pass itself off as the Windows Genuine Advantage Registration Service. Once the worm is run, it waits for remote control commands, received via IRC.