TrojanInfo.com

Any mIRC virus removal can be split up into 3 parts

1) Identifing which virus
2) Removing the virus
3) Educating the user so they dont get re infected.

Below is the easiest virus removal you can do.

[13:33] *** Joins: Infectee (~ber@XXX-XXX-XXX-XXX-XXX.nsw.bigpond.net.au)

------------------- 1st Part START -------------------

User joins and asks for help, purpose is to identify if they have a virus and if they do which one

[13:33] (Infectee) Help me Im infected
[13:33] (Helper) Why do you think your infected?
[13:33] (Infectee) Everyone kicks me for spamming
[13:34] (Helper) Im going to get you to type some commands into your mIRC, type them in this window. Do you understand?
[13:34] (Infectee) yes
[13:34] (Helper) type //!say $script(0)
[13:34] (Infectee) 1
[13:34] (Helper) type //!say $script(1)
[13:34] (Infectee) Ä

------------------- 1st Part END -------------------

Ä is a common file name for a //decode worm that spread by users typing a //decode command which promises them to hack the channel and get ops this file must be removed and unloaded

------------------- 2nd Part START -------------------

Firstly stop all remotes, this will stop the futher spread of the virus message /whois the user if they are other channels get them to part all except #nohack Then proceed to remove the virus file

[13:35] (Helper) type //!remote off ... and tell me what it says
[13:35] (Infectee) *** Remote is OFF
[13:35] (Helper) ok we need to remove that file
[13:35] (Infectee) How?
[13:36] (Helper) type //!unload -rs $chr(196) .... then tell me what it says.
[13:37] (Infectee) *** Unloaded script 'Ä'
[13:36] (Helper) type //!remove $chr(196) .... then tell me what it says.
[13:36] (Infectee) *** Removed 'c:\mirc\Ä'
[13:36] (Helper) ok
[13:36] (Helper) type //!remote on .... then tell me what it says.
[13:36] (Infectee) *** Remote is ON (Ctcps,Events,Raw)

------------------- 2nd Part END -------------------

The virus has been successfully removed
If this was a long process or the user seems to not understand check that the script has been unloaded and the file is removed this can be done with the $script(0) and $exists() commands

------------------- 3rd Part START -------------------

Now the user is clean, explain how they got the virus, and how to prevent it in the future. You dont want this person comming back in 1 hour with the same virus.

[13:38] (Helper) ok you are clean from that virus now. you got your virus by typing a //decode command
[13:38] (Helper) In future NEVER type any commands people tell you to ok?
[13:38] (Infectee) ok thank you
[13:38] *** Parts: Infectee (~ber@XXX-XXX-XXX-XXX-XXX.nsw.bigpond.net.au)

------------------- 3rd Part End -------------------
Wait until the next user comes along :p

Below a is a server.ini that involves other files

[14:12] *** Joins: Infectee (~ber@XXX-XXX-XXX-XXX-XXX.nsw.bigpond.net.au)

------------------- 1st Part START -------------------

User joins and asks for help, purpose is to identify if they have a virus and if they do which one

[14:12] (Infectee) hi Im spamming some site
[14:12] (Helper) hello
[14:13] (Helper) Im going to get you to type some commands into your mIRC, type them in this window. Do you understand?
[14:13] (Infectee) yes
[14:13] (Helper) type //!say $script(0)
[14:13] (Infectee) 3
[14:13] (Helper) type //!say $script(1)
[14:14] (Infectee) c:\mirc\system\protection.mrc
[14:14] (Helper) type //!say $script(2)
[14:14] (Infectee) c:\mirc\system\theme.mrc
[14:14] (Helper) type //!say $script(3)
[14:14] (Infectee) c:\mirc\server.ini
[14:14] (Helper) ok

------------------- 1st Part END -------------------

The first two script files were in \system\ its very uncommon for viruses to be in subdirectories, and these names dont look like typical virus names. However server.ini is a common virus name.
It is caught by going to a website that contains javascript which exploits IE bugs and writes to your hard drive.
server.ini is installed and loaded into every mIRC on their C:\ so all copies must be located and fixed.
------------------- 2nd Part START -------------------

Firstly stop all remotes, this will stop the futher spread of the virus message /whois the user if they are other channels get them to part all except #nohack Then proceed to remove the virus file

[14:14] (Helper) type //!remote off .... and tell me what it says
[14:15] (Infectee) *** Remote is OFF
[14:15] (Helper) ok type //!unload -rs server.ini
[14:15] (Helper) ok type //!unload -rs server.ini ... and tell me what it says
[14:15] (Infectee) *** Unloaded script 'server.ini'
[14:15] (Helper) type //!remove server.ini
[14:16] (Infectee) *** Removed 'c:\mirc\server.ini'
[14:16] (Helper) type //!say $findfile(c:,server.ini,0)
[14:16] (Infectee) 2
[14:16] (Helper) type //!say $findfile(c:,server.ini,1)
[14:16] (Infectee) c:\games\Captcomando\server.ini
[14:16] (Helper) type //!say $findfile(c:,server.ini,2)
[14:16] (Infectee) c:\program files\mirc\server.ini
[14:17] (Helper) do you have more then one mIRC open now?
[14:17] (Infectee) no
[14:17] (Helper) type //!remove $shortfn(c:\program files\mirc\server.ini) ... and tell me what it says
[14:18] (Infectee) *** Removed c:\program files\mirc\server.ini
[14:18] (Helper) ok
[14:18] (Helper) type //!say $exists(server.ini)
[14:18] (Infectee) $false

------------------- 2nd Part END -------------------

The virus has been successfully removed
We identified it as server.ini, and located one other copy of it.
Note: we found two but one appeared to be inside a game, DO NOT remove this file
as it is probably needed for the game to run.

Since server.ini infects every copy of mIRC on the system the file needs to be removed from other directories too.
Note: if the other mIRC is open it should be close before removing that server.ini
from that dir otherwise it will not be removed properly (unless /unload -rs server.ini is typed in both mIRCs)

You might notice the use of $shortfn() command this allow other versions of mIRC to handle spaces in directory names (ie \program files\)

Finally we check the file was removed using the $exist() command

------------------- 3rd Part START -------------------

Now the user is clean, explain how they got the virus, and how to prevent it in the future. All users running IE 5.0 / 5.5 and 6.0 need to upgrade to the latest patch as all are vulrenable to this bug.

[14:18] (Helper) ok your now clean, but....
[14:18] (Helper) you need to goto http://www.windowsupdate.com and get all critical patches for you Internet explorer.
[14:19] (Helper) You got your virus from viewing a porn website, and if you dont get a fix you might get this virus again.
[14:19] (Infectee) ok
[14:19] (Helper) now type /remote on
[14:19] (Helper) and you can go update your machine
[14:19] (Infectee) ok thanks
[14:19] *** Parts: Infectee (~ber@XXX-XXX-XXX-XXX-XXX.nsw.bigpond.net.au)

Below is more complicated virus removal

[14:48] *** Joins: Infectee (~ber@XXX-XXX-XXX-XXX-XXX.nsw.bigpond.net.au)

------------------- 1st Part START -------------------

User joins and asks for help, purpose is to identify if they have a virus and if they do which one

[14:48] Help me! [14:48] Whats the problem [14:48] I have a virus [14:48] Why do you think you have one? [14:48] People say im sending virus files [14:49] whats the name? [14:49] I dont know *** Cycled channel testing for DCC sends *** [14:49] ok you have links.vbs virus [14:50] yes thats it [14:50] Please remove it! [14:50] ok

------------------- 1st Part END -------------------

The user was automatically sending a file via DCC, the file name was links.vbs which is a common virus name. DALnet now blocks .vbs files but not all networks are doing this.

------------------- 2nd Part START -------------------

Firstly stop all remotes, this will stop the futher spread of the virus message /whois the user if they are other channels get them to part all except #nohack Then proceed to remove the virus files

[14:50] Im going to get you to type some commands into your mIRC, type them in this window. Do you understand? [14:50] yes yes just remove it [14:50] type //!remote off .... and tell me what it says [14:50] *** Remote is OFF [14:51] type //!unload -rs script.ini [14:51] ** unloaded [14:51] type //!say $findfile(c:\,links.vbs,0) [14:51] 2 [14:51] type //!say $findfile(c:\,links.vbs,1) [14:51] c:\windows\links.vbs [14:51] type //!say $findfile(c:\,links.vbs,2) [14:51] c:\windows\system\links.vbs [14:52] ok [14:52] type //!remove c:\windows\links.vbs ... and tell me what it says [14:52] *** removed [14:52] type //!remove c:\windows\system\links.vbs ... and tell me what it says [14:52] *** removed [14:52] type //!remove $shortfn(c:\windows\start menu\programs\startup\rundll.vbs [14:53] *** removed [14:53] FinisheD? [14:53] no [14:53] type //!remove c:\short.com [14:53] *** removed [14:53] okaies type //!remote on [14:53] done

------------------- 2nd Part END -------------------

The virus has been successfully removed from the Hard drive links.vbs also has a registry entry that should also be removed which I have not gone into here.

Notice the use of $shortfn() again for directories with spaces
------------------- 3rd Part START -------------------

Now the user is clean, explain how they got the virus, and how to prevent it in the future.

[14:54] You are now clean, You either got your virus by either accepting a file on IRC or opening an attachment in your email. [14:54] NEVER accept files or emails from people you dont know. With Emails even if you know the person dont open it unless you ring them and find if they sent it. [14:54] ok? [14:54] ok thank you [14:54] *** Parts: Infectee (~ber@XXX-XXX-XXX-XXX-XXX.nsw.bigpond.net.au)