| |
Unfortunately not everyone uses IRC to chat, make friends and generally have a good time.
There are some lamers out there who are eager to take advantage of you, so be careful. Remember
NEVER download files (by DCC, WWW, FTP, or other ways) from a person or a web site that you are not familiar with.
NEVER run any programs that you don't know.
NEVER load scripts before reading and understanding them.
NEVER give passwords, logins etc to unknown persons.
NEVER give your home address or Phone number.
NEVER trust anybody.
Script ini
This was the first Trojan horse attack script.
Newer versions of mIRC have solved this problem.
If you are using an older version of mIRC, all you have to do is unload script.ini and delete it from mIRC root directory.
Dmsetup.exe
Dmsetup.exe is a file which if you are silly enough to
run it copies itself in several places on your hard disk, makes its own mirc.ini and associated script and adds to a system file to ensure it cannot be purged easily.
This file affects at least mIRC version 5.11 and over so unlike the original script.ini attack, upgrading is not the solution.
WHAT IS THE CURE?
To fix this problem, there are 2 main scenarios, depending on whether you have mIRC in the C drive or not.
IF YOU HAVE MIRC INSTALLED ON YOUR C: DRIVE
- Unload mircrem.ini
- Open c:\autoexec.bat with notepad and remove the dmsetup line save and exit
- Delete the following
c:\dmsetup.exe
c:\configg.sys
c:\mirc\dmsetup.exe
c:\mirc\mircrem.ini
c:\mirc\backup0412.ini
c:\windows\dmsetup.exe
c:\progra~1\dmsetup.exe
IF YOU HAVE DO NOT HAVE MIRC INSTALLED ON YOUR C: DRIVE
Recommended course of action
- Open c:\autoexec.bat with notepad and remove the dmsetup line save and exit.
- Delete the following
c:\dmsetup.exe
c:\configg.sys
c:\mirc
c:\windows\dmsetup.exe
c:\progra~1\dmsetup.exe
If this is too complicated for you, or if all else fails you may choose to try downloading this command file: dmfix.com
Winhelper.exe
Many users of the mIRC have suffered from channel takeovers as the result of a new trojan horse program (a file that pretends to be something good when
it's really not).
When you attempt to run winhelper.exe it is designed to give an error message or appear to have been a failed transfer, while actually altering win.ini and writing 2 other files.
You probably assume the transfer corrupted the file and either throw the original away or just give up on it.
However by this time the damage has been done.
Once infected, the client can be forced to
do any or all of the following:
- Invite an evil-doer to any channel where you are an operator,
- Mass deop all the other ops
- Op the evil-doer
- Deop or quit IRC yourself
These result in a de facto takeover which does not require much server hacking skills.
WHAT IS THE CURE?
To fix this problem:
- Remove the file winhelper.exe,
- Remove C:\mIRC.ini
- Delete a line from win.ini that references
winhelper.exe... something about running C:\windows\system\winhelper.exe.
MSchv32.exe
When you run this trojan, it will copy itself to
c:\windows\system\MSchv32.exe.
Then it will modify your windows's registry. This makes the program run each time you run windows.
Check?
To see if you are infected with MSchv32.exe trojan, press ctrl-alt-del to open up the "Close Program" window. It will show a list of programs that you are running. Search for a program called MSchv32.exe.
If it exists, you are infected.
WHAT IS THE CURE?
Press ctrl-alt-del. Open up the "Close Program" window. Select the program called MSchv32.exe and click "End Task". Wait about 10 seconds, and windows will ask you that you confirm with closing program. Press "End Task".
Delete the file C:\windows\system\MSchv32.exe. (Using your Explorer or DOS)
Go to Start Menu
Run. Type "regedit.exe".
It would be wise to backup the registry file.
Click Registry Menu -
Export Registry File FileName: C:\windows\BackupRegistry.reg
Export Range: All
Then press Ok to save.
Follow the path: HKEY_USERS > .DEFAULT > Software > Microsoft > Windows > CurrentVersion > Run
You will see a key that contain the Data "C:\windows\system\MSchv32.exe" Select it, and press delete > click "Yes" to confirm
Run your Mirc Client, press Alt-R. Go to View Menu, see if you can find a file called script.ini. If you have it, select it. Press Find Text and enter "opshit". If you find the word, "opshit", look at the filename under the text box. Remember the path and filename. For example: C:\script.ini or C:\mirc\script.ini Then go to File Menu and press Unload.
Press ok to exit to Mirc Client again.
In any window, press /remove c:\script.ini or the path you found on the filename in previous step.
I am sure that there are quit a lot of Trojan horse attacks on IRC. If you know of any please let me know.
|
|
