Dealing with mIRC Script Worms (SCRIPT.INI) and mIRC Trojans


[The RIMC Project]   [RIMC ITW Statistics/Hot List]
[ Infected?]   [ How to protect from scripts]   [How to remove scripts ]
[The DMSetup Worm/Trojan]   [JeepWarz Analysis]


A Virus or Trojan via IRC?

There's currently a threat that you should be aware of -if you use the mIRC program- to chat over the Internet. mIRC is a popular program used to access the IRC (Internet relay Chat). mIRC supports a script language that is interpreted by the mIRC program; the mIRC scripts and can be sent as files from one user to another. This script language can automatically execute commands and can perform specific commands triggered on predefined words that someone types during the chat.

Beside that, if your IRC client is able to receive files there is the possibility that someone send you a Trojan via IRC (or E-mail or ICQ etc.). A very popular Trojan is DMSetup. This Trojan installs itself and manipulates mIRC in that way that copies of this Trojan are send out using the mIRC script language.

There are currently a number of worms that can be spread to your PC. We define these as worms not as viruses since they do not modify existing programs on your PC but rather simply transfer themselves from PC to PC.  The worms travel via a file named SCRIPT.INI that must be transferred into the mIRC program directory in order to execute. Versions of the mIRC program prior to version 5.3 will transfer a downloaded SCRIPT.INI file into the same directory with the mIRC program. This allows the SCRIPT .INI file to automatically be executed. (This serious flaw was promptly fixed by the author with version 5.3 where all downloads go into a separate download directory by default.)

The worm is very simple. It is based on the assumption that when mIRC (versions before 5.3) is first installed on a computer, it by default is set up to load a script called SCRIPT.INI in the mIRC directory. When mIRC is first set up, there is no SCRIPT.INI file, so nothing happens. However, if somebody sends you a SCRIPT.INI file, and you save it into your mIRC directory, then the next time you run mIRC, it will follow its default behaviour of loading SCRIPT.INI If the SCRIPT.INI happens to contain malicious code, it will be executed by mIRC!

How does you become "infected" with the SCRIPT.INI worm? You will get infected when somebody sends a SCRIPT.INI file via DCC (Direct Client-to-client Connection; a way of transferring files and conducting chats, bypassing the IRC network.) You can only be infected if you accept the DCC request! However, many people will go ahead and accept the file without knowing what it is. Worse, some people will have turned on a feature in mIRC called Auto Get; this will cause mIRC to automatically accept any DCC request! Once the SCRIPT.INI is in your mIRC directory, it will be loaded by mIRC the next time it is started. The script will then perform whatever functions it was programmed to perform (which will be discussed later).


What the worm does

There are several variants of this worm, all of which do different things. Some variants will send all your channel and private messages to a certain channel or person. This compromises both your privacy and security. It will allow people to listen in on your conversations, and even get secret passwords that you might be /MSG´ing. Some will listen in for trigger words that will allow somebody to take control of your mIRC client; and through you take over your channels! Most versions will send themselves to other people via DCC, without your knowledge! Some versions will even go so far as to damage the files on your computer, and even tamper with your Windows system files! Finally, the more advanced versions will override some of mIRC internal commands in an attempt to prevent you from removing them.


How to tell if you're infected?

The most obvious sign that you are infected with the SCRIPT.INI worm is that there is a SCRIPT.INI file in your mIRC directory. However, this is not a telltale sign. The SCRIPT.INI file could be harmless. The only way to tell for sure is to look at the file and see if it contains malicious code (if you have any code reading skills.) However, if you're not sure, the safest thing to do is to simply delete it.

It is also conceivably possible for a script other than SCRIPT.INI to be a worm. Don't assume that you're not infected because there is no SCRIPT.INI file. Also, don't assume that you are if you do see one.

Another way to tell if you are infected is if somebody tells you that you're sending a SCRIPT.INI file to him or her, and you know for certain that you're not. This worm will spread itself by DCC sending itself to other people without your knowledge.

Some variants of this script will echo all your channel and private messages to a certain channel or person, so you may see a bunch of error messages saying something to the effect of "can't send to channel" or "can't send to nick". This is another sign that you're infected.


How to remove the worm

First of all, don't try to remove the worm from within mIRC. It's much safer, and more effective, to remove it externally. If mIRC is up and running, shut it down.

The first thing to do is to look at the folder containing mIRC and look at the SCRIPT.INI file. Open it up in the Notepad and examine it for any code that DCC sends the script to other people, or sends MSG to people or channels with the text you type, or anything else suspicious. If you're not familiar with mIRC scripting, simply delete the file.

You should also examine other .INI files for similar code. If you're not sure what files are scripts, open up the MIRC.INI file and look for a section called [rfiles]. This section will contain a list of all scripts loaded by mIRC. If in doubt, delete them all. You're playing with fire if you're using any script without knowing what it does.

Another file to check is ALIASES.INI. Check it for any aliases that try to override internal commands, particularly overridden commands that would allow you to remove the worm. If in doubt, delete this file also. You'll lose any aliases that you've defined, but this will ensure that no aliases created by the worm are left behind.

Once you start up mIRC again, all scripts should be cleared (unless you've left some behind that you've checked and found clean). To be sure, press ALT+R to bring up the remote script window, and then open the View menu. This will list any scripts that are opened by mIRC. Either the list will be empty (unless, as stated above, you deliberately left some behind), or any scripts that are in the list will be blank when you select them. Also look at the Aliases tab; it should contain no aliases, unless you manually checked it and found it clean, rather than simply delete it.

Several web sites covering this topic go through a song-and-dance routine, giving you a string of commands to remove the virus. This procedure is (in my expert opinion) not as secure (or as simple) as simply going through and deleting any suspicious files. If the file's not there, it can't do anything to you!

A final note; if you think you've been infected, I would appreciate it if you e-mail me a copy of it before you delete it; I would like to analyze the various versions of these scripts. PGP keys are available from PGP key servers as well as you can find them in the file "ROSEBBS.TXT" (included in ROSE SWE distributions).
 


How to protect yourself

Here are some simple steps to take to protect you from the worm:


The DMSetup Trojan/Worm

What is DMSetup?

The "DMSetup.exe" file is a worm which passes itself from one mIRC user's computer to the next by infecting the MIRC.INI file and other files in their computers. It does this by changing mIRC remote scripts and thereby sending itself to anyone joining the channel the infected mIRC user is in. This is done with the IRC file transfer protocol DCC. You should be suspicious of any file you are sent with a .Exe extension. The chances are it is "DMSetup.exe" which has been renamed or some other kind of malware.

The original DMSetup worm uses the filename "DMSetup.exe". There are a lot of different filenames being used by the DMSetup.B-H worms to circulate the "DMSetup.exe" worm. This newer variants change their own name with every infection. Names for DMSetup2.exe are any two of these words joined together with .Exe and/or .INI :

buny love sex toe pee inst god fun ICQ IRC
mIRC powr jnk nuke udp lim set cfg hell pusy
tit dik 69 101 yes arm 311 bud fuck eat

So BunyLove.exe, BunySex.exe, LoveBuny.exe, LoveSex.exe, SexBuny.exe and SexLove.exe are all possible etc.

In this document the worm will only be referred to as DMSetup. This worms are between 40 and 90 KB. Their length vary, because sometimes the file is cutted by a broken connection. Nevertheless those truncated files are still executable, because the main worm is only about 35 KB long, the rest is appended trash to make him survive better!

RHBVS & VSP currently scans the DMSetup worms as DMSetup.??? Trojan

Indications of infections

There are some obvious clues.
 

When you run a file containing DMSetup.A, the file will...
 


The new MIRC.INI installed by DMSetup.exe will
 


In rare cases, if the DMSetup worm can't install properly it will do a rather destructive action. It will show a display of multicoloured rings and circles in a screen saver like fashion. While it does this, it fills the hard disk with directories that have garbage names and are difficult to remove again

How do I remove DMSetup from my PC?

Unload mircrem.ini by typing /UNLOAD -RS MIRCREM.INI in any mIRC- window. Open C:\AUTOEXEC.BAT and remove the DMSetup line - save and exit. Delete the following files:

    C:\DMSETUP.EXE
    C:\CONFIGG.SYS

    Assuming, you have installed mIRC into C:\MIRC
    C:\MIRC\DMSETUP.EXE
    C:\MIRC\MIRCREM.INI
    C:\MIRC\BACKUP0412.INI

    C:\WINDOWS\DMSETUP.EXE
    C:\PROGRAM FILES\DMSETUP.EXE
    C:\MIRC.INI


mIRC Worm analysis - "JeepWarz"

This is an analysis of "JeepWarz", one of the mIRC SCRIPT.INI worms. This analysis comes from analyzing the script code, but "live testing" (taking an infected client online; isolated in a private room, for safety; for testing.) has not been carried out yet. JeepWarz is named after the name of the channel that it sends all console inputs to.

This script is apparently disguised as a script that does some useful functions. The script is the most ingenious one I've seen yet; it actually performs a few useful functions, but buried within some of them is security compromising code. The code is hidden by being located starting well past the 300th column in the file, so it can't be seen unless you scroll a long distance horizontally.

The worm performs the following functions

Final analysis: This worm is quite capable of compromising security. It sends all input that the user types to a hidden channel, possibly transmitting passwords and private information to (presumably) the people that created the script.


The ROSE IRC Malware Collector - RIMC

The RIMC is a set of scripts and tools that try to download from IRC malware (viruses, Trojans and script worms). RIMC consists of a IRC robot, some DOS batches, AWK scripts and a few self written tools. RIMC has logging and statistics functions as well as it will warn users that are infected.  The used scanner is ROSE SWE's Heuristic Based Virus Scanner (RHBVS) which was enhanced for this task.

RIMC is a kind of "honey-pot" - RIMC was written to get an overview what malware is in the wild (ITW) and what the most common send malware is. To see and download a complete statistic produced by RIMC click here or on the graphic. Parts of the statistic tools are available via the RHBVS package  (see section Download). Here's a cumulated statistic produced by RIMC and the RIMCSTAT package.


The RIMC "Hot List"

This is the top occurrence of malware on IRC in the year 2002

The RIMC Top Malware

 

This web page requires Java Script! None of the materials from this site may be reproduced without prior consent of the copyright owner.
Document $Id: f_mirc.htm,v 1.19 2015/12/27 12:36:48 ralph Exp $