Back To buttons
IRC Security
Page 15 of 17
Next To Links
     
  Unfortunately not everyone uses IRC to chat, make friends and generally have a good time.

There are some lamers out there who are eager to take advantage of you, so be careful. Remember

  • NEVER download files (by DCC, WWW, FTP, or other ways) from a person or a web site that you are not familiar with.
  • NEVER run any programs that you don't know.
  • NEVER load scripts before reading and understanding them.
  • NEVER give passwords, logins etc to unknown persons.
  • NEVER give your home address or Phone number.
  • NEVER trust anybody.

    Script ini

    This was the first Trojan horse attack script.
    Newer versions of mIRC have solved this problem.
    If you are using an older version of mIRC, all you have to do is unload script.ini and delete it from mIRC root directory.

    Dmsetup.exe

    Dmsetup.exe is a file which if you are silly enough to run it copies itself in several places on your hard disk, makes its own mirc.ini and associated script and adds to a system file to ensure it cannot be purged easily.

    This file affects at least mIRC version 5.11 and over so unlike the original script.ini attack, upgrading is not the solution.

    WHAT IS THE CURE?
    To fix this problem, there are 2 main scenarios, depending on whether you have mIRC in the C drive or not.

    IF YOU HAVE MIRC INSTALLED ON YOUR C: DRIVE

    1. Unload mircrem.ini
    2. Open c:\autoexec.bat with notepad and remove the dmsetup line save and exit
    3. Delete the following
       c:\dmsetup.exe
       c:\configg.sys
       c:\mirc\dmsetup.exe
       c:\mirc\mircrem.ini
       c:\mirc\backup0412.ini
       c:\windows\dmsetup.exe
       c:\progra~1\dmsetup.exe

    IF YOU HAVE DO NOT HAVE MIRC INSTALLED ON YOUR C: DRIVE
    Recommended course of action

    1. Open c:\autoexec.bat with notepad and remove the dmsetup line save and exit.
    2. Delete the following
       c:\dmsetup.exe
       c:\configg.sys
       c:\mirc
       c:\windows\dmsetup.exe
       c:\progra~1\dmsetup.exe
    If this is too complicated for you, or if all else fails you may choose to try downloading this command file: dmfix.com

    Winhelper.exe

    Many users of the mIRC have suffered from channel takeovers as the result of a new trojan horse program (a file that pretends to be something good when it's really not).

    When you attempt to run winhelper.exe it is designed to give an error message or appear to have been a failed transfer, while actually altering win.ini and writing 2 other files.
    You probably assume the transfer corrupted the file and either throw the original away or just give up on it.
    However by this time the damage has been done.

    Once infected, the client can be forced to do any or all of the following:

    1. Invite an evil-doer to any channel where you are an operator,
    2. Mass deop all the other ops
    3. Op the evil-doer
    4. Deop or quit IRC yourself
    These result in a de facto takeover which does not require much server hacking skills.

    WHAT IS THE CURE?
    To fix this problem:

    1. Remove the file winhelper.exe,
    2. Remove C:\mIRC.ini
    3. Delete a line from win.ini that references winhelper.exe... something about running C:\windows\system\winhelper.exe.

    MSchv32.exe

    When you run this trojan, it will copy itself to c:\windows\system\MSchv32.exe.
    Then it will modify your windows's registry. This makes the program run each time you run windows.

    Check?
    To see if you are infected with MSchv32.exe trojan, press ctrl-alt-del to open up the "Close Program" window. It will show a list of programs that you are running. Search for a program called MSchv32.exe.
    If it exists, you are infected.

    WHAT IS THE CURE?

  • Press ctrl-alt-del. Open up the "Close Program" window. Select the program called MSchv32.exe and click "End Task". Wait about 10 seconds, and windows will ask you that you confirm with closing program. Press "End Task".
  • Delete the file C:\windows\system\MSchv32.exe. (Using your Explorer or DOS)
  • Go to Start Menu
    Run. Type "regedit.exe".
    It would be wise to backup the registry file.
    Click Registry Menu -
    Export Registry File FileName: C:\windows\BackupRegistry.reg
    Export Range: All
    Then press Ok to save.
  • Follow the path: HKEY_USERS ­> .DEFAULT ­> Software ­> Microsoft ­> Windows ­> CurrentVersion ­> Run
    You will see a key that contain the Data "C:\windows\system\MSchv32.exe" Select it, and press delete ­> click "Yes" to confirm
  • Run your Mirc Client, press Alt-R. Go to View Menu, see if you can find a file called script.ini. If you have it, select it. Press Find Text and enter "opshit". If you find the word, "opshit", look at the filename under the text box. Remember the path and filename. For example: C:\script.ini or C:\mirc\script.ini Then go to File Menu and press Unload.
  • Press ok to exit to Mirc Client again.
    In any window, press /remove c:\script.ini or the path you found on the filename in previous step.
    I am sure that there are quit a lot of Trojan horse attacks on IRC. If you know of any please let me know.
    Back to the Top
  •  
     
    Bad conduct soils the finest ornament more than filth.

    Plautus (B.C. 254-184)