Irc/Flood

Discussion in 'Trojan Defence Suite' started by Billy, Apr 7, 2003.

Thread Status:
Not open for further replies.
  1. Billy

    Billy Guest

    My boss got the IRC/Flood virus. He is running Mcafee personal firewall with virus scan. After the virus was caught and deleted it came back. The personal firewall and Mcafee did not detect it until a full scan was run. Will installing TDS correct the problem? I want to get rid of it and keep it gone.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    At least give it a try. Install TDS, update the radius and do a full scan with everything checked and on highest sensitivity.
    After that, you might like in the free tools the "Mirclean" especially for mirc worms.
    In case nothing is found there either was no IRC/flood or it is a virus, while TDS is for trojans and worms.
    But do give it a try.
    Any idea where the nasty is hiding? That original needs to be solved and possible registry keys cleaned out, autostart, all that.
     
  3. Billy

    Billy Guest

    It is a Trojan virus. I don't know where it came from but it puts it's files in Winnt/System32. The virus software found and deleted it but it came back. Since it is a trojan I thought TDS would give better protection. Will TDS clean the registry or will I have to do that myself? If he gets it again will TDS stop it?
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If it's a trojan, TDS should get it. I see it in the database with several names/variants.
    But how does your employer get it in the first place?
    It is supposed to be a chatbot, among others used for DoS etc. !
    The registered version of TDS has exec protection, which will block the nasty from executing in the first place.
    With TDS you can scan and locate it and delete it or in case of doubt you might like to submit the file zipped to the TDS lab for deeper determination.
    The registry keys, if necessary after deleting the trojan --not every trojan/worm changes registry keys-- you'll have to change yourself.
    This macafee page gives clear descriptions:
    http://vil.mcafee.com/dispVirus.asp?virus_k=98936
    Your firewall should block such connections for contact with the outside world as well incoming signals to contact a possible installed server (it might contain a backdoor! bad bad on a company's computer!).
    You might like to look with Port explorer extra at all connections and which files/programs are responsible for those, block them and look who they are connecting too.
    The evaluation version let's you at least have a look and has a fine set of tools with automated whois and much more; it's running permanently (in the registered version) on my system to check and block etc.
    If it comes from websites among others, i love WormGuard as an extra important tool too, to block and popup with warnings for suspicious files and giving an opportunity to check them in the safe mode so i know what i'm allowing or blocking.
    So there are several ways for protection, detection and getting rid of the nasty.
    If it get's back each time again while it doesn't come anew with emails, you might like to have the information sniped out what is it's purpose and if it is stealing company information, for which DCS has a fine department so you can deal with the sender. They know a lot about bots!
    So start with downloading these valuable programs, starting with TDS and keep us informed how it goes!
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Download and install TDS and get the latest databases before running it. We have a lot of detection for IRC trojans, even though the file you are mentioning is a TEXT file (a support file for a bot)

    I'm almost certain the trojan in question is a modified mIRC exe file, and TDS currently detects a lot of those. Once you kill the EXE file, then it should no longer be reappearing. Please give me an indication of what file names are being detected, and also what autostart registry keys and other entries you might have. You can do that by running the program StartupList.. sorry I dont have a link ! anyone ?

    Then email support@diamondcs.com.au with the results - post here too if you like, as there are generally helpers available 24/7 :) I think there may still be a dropper which adds the files back when you restart.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Get HijackThis (best from Tom_Coyotes page)
    Startuplist is integrated in it.
    You can activate it by clicking Config > Misc Tools > Generate Startuplist
    in HijackThis.
    If you already downloaded it before, get a new copy (version 1.93)

    Regards,

    Pieter
     
  8. Billy

    Billy Guest

    The Virus adds a lot of files. The Mcafee sight below shows them.

    http://vil.mcafee.com/dispVirus.asp?virus_k=100181

    This is the list it found.

    abc.bat - batch file attempts to connect to other machines using various usernames and passwords.
    abc.dll - standard I/O file used by MIRC client.
    abc.exe - executable to run other executable in silent mod.
    abcd.jpg - IRC script that can perform various backdoor/bot activities.
    addon.dll - text file with hacker message and bot status.
    addon.sys - text file with hacker message and bot status.
    attrib.exe - standard Windows command-line application.
    change.exe - application to change ini file.
    dtceindll32.dll - mIRC ini file.
    hot.dll - dll file.
    identd.exe - freeware IRC tool.
    kill.exe - detected as application MSKILL
    moo.dll - application to get local machine information.
    psexec.exe - application RemoteProcessLaunch
    reg3.ocx - MIRC ini file detected as IRC/Flood.ba
    regsvc.exe - application ServU Daemon
    regsvc32.exe - the self-extracting dropper file.
    remote.ini - MIRC ini file.
    run32.bat - batch file.
    set.bat - batch file.
    shell32.bat - batch file.
    shell32.dll - application that can take screenshot of the local machine.
    shell32.exe - hacked mIRC client


    I am not sure how he is getting it.
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Billy,

    If you have a weak or non existent Admin password, set a strong one and reboot.

    Please email me a copy of this, submit@diamondcs.com.au .. preferably zipped

    regsvc32.exe - the self-extracting dropper file.

    Then delete it. Now you can delete all the other files you find and reboot to confirm you are clean. I'll check detection immediately in the morning and add everything I can (some files are legitimate support files)

    Of course.. if anything cant be deleted (the mIRC EXE may still be running) then kill it with TDS > System Analysis > Process List, or with another process viewer. Or of course Windows Task Manager :)
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The problem with these hacked up mIRC and Serv-U based trojans is they are packaged in a different way each time, with different tools and scripts, new addons, the whole open source trojan deal can be tricky to detect until widespread.

    Due to this we have allocated some research time for TDS-4 and some special detection of this sort of trojan :) TDS may detect a lot of these trojans by traces already, and many of the most common hacked mIRC, Serv-U and other clients are detected.
     
  11. Billy

    Billy Guest

    I already deleted the files so I cannot send it to you. The person is out of town and has the computer with him. When he gets back next week I will install TDS. He did call today and said that the firewall had detected that a service had tried to access the internet and had been blocked.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Billy, can you please try to grab the nasty Gavin is asking for by it's tail before you delete them again and submit it to him?
    The whole internet cummunity will be grateful so will be your employer if you succeed with Gavin's determinations and additional support and TDS and WG and PE (you will LOVE that one in this case!) to keep it all safe and nice again.
    You get there, surely do!
     
Thread Status:
Not open for further replies.