mIRC

 Home About Download Register Community Help

Viruses, Trojans, and Worms

If you are experiencing a trojan or virus that you think is related to mIRC, or if mIRC is running when your Windows first starts up, or is sending files to strangers on IRC, or joining channels without you asking it to, or typing strange messages to channels or users that you never typed, then read on.

Trojans and Viruses are a serious issue on the internet.

Far too often, people new to the internet, and even people who have been using the internet for many years, carelessly accept and download strange files onto their own computers, either through IRC, email, or the web, and these files then turn out to be trojans or viruses of some kind which infect their computers.

If you have been infected with a trojan or virus, it is quite possible that your computer may be at this moment infecting many other people.

Trojans and viruses spread themselves around the internet by using your Windows operating system (such as Windows 95, 98, XP, etc.), your web browser (such as Internet Explorer), your email program (such as Outlook or Eudora), and other software (such as mIRC).

How did this happen? The only way a trojan or virus can infect your computer is if you have at some point downloaded the trojan or virus and installed it on your own computer. There are other methods: such as having an insecure internet connection, or a security problem in Windows which allows someone to infiltrate your system (which Microsoft usually fixes quickly, however the onus is on you to make sure that you have applied the lastest security fixes to your Windows operating system).

You have almost definitely caused your own problem by downloading a strange file onto your own computer. It may also be that someone else who uses your computer, such as a friend, family member, or colleague at work, has done this without being aware of it.

Some recent viruses that distribute themselves using email programs such as Microsoft Outlook/Exchange also use mIRC and IRC to spread themselves. Well known examples of such viruses are the I LOVE YOU, SirCam, and Klez viruses.

Some viruses install mIRC somewhere on your computer and start it everytime you switch on your computer.

A trojan/virus infection is not something you can solve simply by deleting some files or uninstalling mIRC. The trojan/virus will almost definitely have renamed all mIRC-related files, and will have hidden them in different folders on your computer, and will have installed other various files, and modified your system in other ways.

The only way to solve your trojan/virus issue is to download anti-virus software, and if that doesn't work, you will need to contact an anti-virus company to ask for help. If they do not know about the trojan/virus, you will need to contact another anti-virus company until you find one that does. You will also need to change your attitude towards accepting strange files from the internet.

Background information

In short: trojan worm attacks are attractively disguised files that you download and run, resulting in harmful and dangerous consequences ranging from takeover of your IRC channels, erasing of your hard disk, theft of your account passwords, etc. Almost always your infected machine starts to spread the worm by itself, by E-mail and IRC. These (Trojan) viruses and worms are not mIRC or IRC specific, they just spread like fire on IRC.

Trojans are typically files with suffices like ".ini", ".exe", ".com", ".vbs" or ".js" such as "dmsetup.exe". (http://www.geocities.com/SiliconValley/Heights/3652/dmsetup.html) These days nearly all trojans are spread in the guise of a bugfix, free game or other software. You probably downloaded one from a WWW or FTP archive, ICQ file exchange, or through IRC's DCC file transfer (by manual /dcc get or, even worse, an "auto DCC get" feature which allows anybody to send you anything, including not only trojans but also viruses, porn, and other illegal things). Typically the trojan needs to be run manually, and installs hacked files all over your disk silently.

When you run the program they infect your computer and often install various programs like mIRC on your computer. We call this "dropping a payload". The worm then distributes itself by e-mail or over IRC.

The worms often make sure their payload (mIRC) starts when your computer is booted. This copy of mIRC, in combination with a malicious script, is then used to further distribute the worm, and to gain control over your computer. Your computer then can be used to create a group of infected computers that can be used to attack webservers and IRC server. Such an attack is called a Distributed Denial of Service (DDoS) attack.

News on new viruses, trojans and worms.

Recently some new viruses have made their appearance on IRC. Read these descriptions and see if their behaviour is familiar to what you experience. Try to find what exactly happens on your computer. Try to find what programs are started (like a tweaked mIRC) and how they are started. When you find some suspicious files, search for information about them on the websites of the large anti-virus program makers, like McAfee or Symantec. If you feel comfortable enough about the information available from the anti-virus makers try to weed out the malicious files and the files that got you infected. If you feel uncertain always use a proper virus scanner:

  • McAfee publishes a list of new viruses on the web. Look for virus types like "Internet Worm", "E-mail worm", "mIRC Worm", etc. You'll see a lot of them have mIRC or IRC related components. Several of them will install mIRC on your computer.

    Search McAfee's Free Search page when you have a suspicious looking email subject line, message body phrase, or filename to identify a particular threat.

  • At McAfee's website go to the Virus Information Library and search for viruses beginning with "IRC". Also do a keyword search for "mIRC". You'll find loads of IRC and mIRC related viruses.

  • Search Symantec's Virus Encyclopedia for IRC and mIRC related viruses. Also see their list of latest threats.

    At IRChelp.org you will learn more about trojan attacks, such as dmsetup.exe and script.ini, or their look alikes Back Orifice or NetBus, and how to undo the damage. If you think you need more info, browse to:

  • DALnet's #NoHack,
  • Script.ini info,
  • DMSetup info.

Some special programs are available that with more or less succes manage to clean your infected computer from the trojans you have. For examples look at moosoft.com.

How can I prevent this from happening in future?

Always use caution if receiving files from others on IRC channels or by e-mail . Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus:

  • Never open attachments in E-mails before scanning them with a virus scanner. Do not trust the sender of an e-mail. Although it may look like a friend may have sent you a file, his computer could actually be infected and may be sending out viruses without him or her being aware of it.

  • Never download files from people or sites which you aren't 100% sure about. Only accept files from people that you know and trust. Never accept files without knowing their full purpose. Never use the "auto DCC get" option. Never open attachments in E-mails before scanning them with a virus scanner.

  • Files of executable extension such as .EXE, .COM, .VBS, .BAT, .HLP and .DLL should never be accepted from others as they have the most potential to cause problems or infection.

  • Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

  • Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

  • Files which support macros (like Word documents) should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

  • mIRC has several security settings and options to disable certain functions. We advise you to use them. In the DCC/Options/ menu set the "send" and "get" options to prompt or ignore requests for file send or receive transactions. And disable the 'run' and 'dll' commands in the 'File/options/General/Lock/ menu to stop the automagic startup of helper applications.

Note that mIRC by default does not accept files from strangers. This has never been the case. If you have accepted files by the "DCC auto get" feature in mIRC, then you (or a virus) has switched this option on.

A small list of mIRC related viruses:

  • Trojan.IrcBounce - Is your computer infected with a mIRC version 5.7 (as the Help/About/ menu will tell you) hiding as TASKMNGR.EXE (not to be confused with TASKMNG.EXE or TASKMAN.EXE)?
    From the load of reports I recieved it seems we have a firm outbreak of this trojan. Trojan.IrcBounce is the detection for a collection of programs that a hacker can use to conceal intrusion and obtain administrator-level access to Microsoft Windows environments. After it is installed into your computer, it gives a remote attacker unobstructed access to your computer. I believe this trojan is used for the DALnet DDoS attacks. The trojan includes a copy of mIRC that hides as Taskmngr.exe actually being mIRC32.exe version 5.7. The Trojan uses this file to run all of its mIRC scripts, including Dll32.hlp, Dll32NT.hlp, Xvpll.hlp, Httpsearch.ini, and NT32.ini.
    Read more at the Symantec website since McAfee seems not to detect this trojan (properly). Do not confuse this trojan with IRC/Randy or IRC/Flood.
    Related but incomplete info is available at the Microsoft knowledgebase.

  • IRC/FinalBot - This is a trojan which enables others to remotely control your system by sending commands via Internet Relay Chat. On IRC it is known as the "TNT Crack" virus. Your virus scanner should be able to fix this worm. See http://vil.mcafee.com/dispVirus.asp?virus_k=99193 for details about this worm. The infecting executable is a self-extracting archive (726,528 bytes) which contains 39 files. One of them is a copy of mIRC renamed as RUNDLLS.EXE. When you run the virus (by accident), the TNT Crack searching program is displayed and lots of files are installed to your computer, and you are infected. With proper instructions you can easily remove this virus by hand but you have to weed out it's origin to get cured. Better let your recent virus scanner do the job.

  • IRC/WinHelp.a (IRC/Flood) - There is this worm (virus) that installs mIRC on computers once it infected you. It is called IRC/WinHelp.a. I have NO idea where it comes from. Your virus scanner should be able to fix your problems. See http://vil.mcafee.com/dispVirus.asp?virus_k=98936 for details about this worm.
    Characteristics: Every time you boot your system a program titled something like "FreeExtractor" or "ph33r" runs. It places files like "temp.exe" and "whvlxd.exe" in your windows\system or \system32 folder. It also adds a registry key to load on startup.
    This is an Internet Relay Chat spreading worm which can also act as a flooder tool to bog down IRC servers. The worm includes a copy of the mIRC client within the contaminating file. This allows users who do not run mIRC (to their knowledge) to become a carrier of this worm.

  • VBS.Stages.A - It is possible you got a file called Life_Stages.txt.shs and you were foolish enough to open it. Then, whenever you enter a chat channel, your mIRC (without any indication at all) will send that file to everyone in the channel. you are infected... Get rid of this virus by using the fixlife.exe file at http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html.

  • If for some reason mIRC loads itself (sometimes 4 or 5 times) when windows starts up, you are infected by a trojan virus that installs mIRC on your computer, over and over.. I have noo idea yet what exactly is its origin; you must have downloaded something that was infected... Make sure to clear this and its origin properly. Download The Cleaner.

  • love-letter-for you.txt.vbs - VBS/LoveLetter.worm, LOVE BUG 04/05/2000 This trojan combines features of both a virus and a worm, and acts as a trojan dropper. It propagates to other computer users as an attachment to an E-mail message with subjects like "ILOVEYOU", "Susitikim shi vakara kavos puodukui..." or "Joke" and the text 'kindly check the attached LOVELETTER coming from me.'. When you open the attachement you are infected. The trojan automatically sends itself to all people in your address book, in search for a new victim. If mIRC is installed on your computer, the virus writes a special script so that the virus sends itself to all users in the channels you go to. The trojan has references to mIRC and Khaled in its body but he nor mIRC Co Ltd. have anything todo with this outbreak. Just another malicious joke of the trojan's creator...
    Read more about this trojan (and how to cure it) on http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html.

  • MyPicture.bmp.vbs - VBS.Illen: this combines features of both a virus and a worm, and acts as a trojan dropper. If mIRC is installed on your computer, the virus modifies the c:\mirc\script.ini and c:\mirc\mirc.ini so that the virus tries to send itself to all users in the channels you go to. Read more on
    http://www.symantec.com/avcenter/venc/data/vbs.illen.html

To clean your computer from these infections make sure to get a proper virus scanner. For instance get Norton AntiVirus or get McAfee Anti Virus". It does not help to simply remove some files by hand. These viruses hide themselves on your computer and reinstall themselves as soon as you reboot.

Privacy   Contact Us
Copyright © mIRC Co. Ltd. 1995-2008. All Rights Reserved.