|
IRC-Worm.MrWormy.119 Viruses Information
| Name: |
IRC-Worm.MrWormy.119 |
| Category: |
Viruses |
| Description:
|
Details
IRC-Worm.MrWormy.1198
This is a harmless encrypted parasitic virus-worm that spreads via mIRC and PIRCH chat channels. To install itself into the system, the virus patches chat-client scripts and creates the infected DOS COM file MYPIC.COM in the WINDOWS directory, and this file has Hidden and Read-only attributes set. The infected chat clients then will send this infected file to the chat channels.
To infect chat clients, the virus first of all checks and creates the EVENTS.INI file in the PIRCH98 directory. New EVENTS.INI sends the infected file C:WINDOWSMYPIC.COM, when a user enters the IRC channel.
If the PIRCH client was not found, the virus attacks the mIRC client. It checks and creates the SCRIPT.INI file in the MIRC directory. New SCRIPT.INI sends to channel the files C:WINDOWSMYPIC.COM and C:MIRCMIRC.INI.
The virus then appends to the end of a C:AUTOEXEC.BAT file the instruction that will activate the virus dropper C:WINDOWSMYPIC.COM each time the system reboots.
The EVENTS.INI script file in the infected PIRCH directory has just one instruction that sends to the channel that infected file. The SCRIPT.INI file in the infected mIRC is more complex and runs more actions:
- on entering any new person to the channel, he/she is sent by the virus dropper (the C:WINDOWSMYPIC.COM file)
- when "why me" appears in the channel (a user sends it), the script runs the mIRC timer that runs an attack on CTCP protocol to this user.
- when joining with a IRC server, the script sends the message to the user with "TPhunk" name on the same server:
I am alive
- on receiving the CTCP commands "blah", the script quits mIRC with the message:
I am Owned - TP ownes me
- on receiving the CTCP command "bye", the script starts the mIRC timer that once per second executes the COMMAND.COM file.
- on receiving the CTCP command "give", the script sends to this user the MIRC.INI file from the C:MIRC directory.
- on receiving the CTCP command "unf", the script runs on the computer a file that is specified in the command parameters.
- on receiving the CTCP commands "ya", the script sends a message to a user. Both the user and message are specified in the command's parameters.
- on receiving the CTCP commands "own", the script changes the window title to the following text:
You've been hax0red
- on receiving the text "mypic" from a user, the script in 30 seconds runs and attacks this user by CTCP protocol.
- on receiving the CTCP command "giveme", the script sends out a file that is specified in the command's parameter, i.e., the worm is able to steal data from remote computers. |
Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word.Ma
I-Worm.NetSky.
Backdoor.Win32.Breplibot.
V.125
Pebbl
Macro.Word.Mihole
Macro.Excel.Do
Kusumah.258
Macro.Word.Bandun
Maca.100
|
