backdoor.irc.mirc-based?

Discussion in 'malware problems & news' started by node, Jul 22, 2003.

Thread Status:
Not open for further replies.
  1. node

    node Guest

    Hi guys,

    I currently have this problem which I posted over at the KAV unofficial board. I've also emailed kav about it...

    http://forums.useice.com/cgi-bin/ikonboard.cgi?s=3f1dd0506495ffff;act=ST;f=1;t=84

    I just cant get rid of it.
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I just read the other thread, and ...

    When you uninstalled it, did you also delete the entire mIRC install point directory tree? Are you installing it in conjunction with a script like Invision or similar? (not that invision is a problem but there may be a trojanized install pack on a non-legit "mirror" site). If you do a fresh reboot with mIRC installed (but not visibly running) does a memory scan show any problems?

    Thx,

    Dan
     
  3. node

    node Guest

    I deleted the mIRC folder also if that's what you mean. I am not installing it with any scripts. If mIRC isn't running then KAV would detect no viruses...It can only detect it with mIRC running and doing a manual system scan.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hmmm maybe its a false alarm in the generic detection for that (modified mIRC executable detection). These can be tricky to detect reliably, as I have a LOT of different samples we have standard detection on those - they are the ones that the users out there are spreading after all :)

    Is the mIRC.exe definitely a cleanly installed version from you, and downloaded from the official site ?

    If so, there is a false alarm and you will have to wait for an official response/fix. mIRC-based backdoors are usually installed to the Windows, System, or a subfolder of those (even the FONTS folder) and you wouldn't even be aware of the file in most cases.
     
  5. node

    node Guest

    I the mIRC was uninstalled from the control panel and freshly installed from a clean setup file dled directly from mirc.com and scanned with KAV 4.5 Lite before installation.
     
  6. node

    node Guest

    Scanned with TDS3 also and they came up with nothing...
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Then it is looking more and more like a false positive, hyave you notified the vendor?
     
  8. node

    node Guest

    I've sent the file to KAV this morning. I also emailed them about the problem and they have yet to get back to me.
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I have forgotten we were talking about KAV, lol. I have KAV Personal Pro and run mIRC 6.03 in conjunction with Invision script and have no alarms when running memory scan with either yesterday's definitions or today's. I also confirmed that I did not set an exclusion on the mIRC directory.

    It all seems pretty strange. I'm afraid I'm not too sure on how to advise you on this except to wait for feedback from KAV. :(
     
Loading...
Thread Status:
Not open for further replies.