Removing mIRC

[Telemark]

Somehow, mIRC got installed on my system and it seems to be opening a hole for attack. My Norton Anti-Virus has detected several infected files and removed them, but I’d like to close the hole.

If I look at Add/Delete Programs, mIRC shows up but clicking on the button does nothing. There is no size or use information either. I see no other indication of the program on my system, but the infected files caught by Norton is quite disturbing.

I’ve removed all the files on the system that I think might be related, but I’d like a more sure way of uninstalling. Anyone know how to uninstall mIRC from Windows 2000?

Hrmm, a little more investigation makes it appear that it might be part of my new Earthlink DSL installation.

[Alereon]

mIRC itself is simply an Internet Relay Chat client. You really can’t be exploited through it. If you didn’t install it yourself, then most likely someone has installed it via a trojan horse to communicate with an application running on your system. Try using Moosoft’s “The Cleaner” to look for remnants of trojans, and make sure you update NAV’s virus definitions.

BTW, a legitimate installation of mIRC won’t show up in add/remove programs at all. It sits in its own directory, C:\mIRC, and doesn’t leave any files elsewhere or entries in the registry. It’s quite well behaved.

[Nanoda]

I don’t know about mIRC’s installation, but there are a fair amount of scripts that take advantage of bugs or default settings. Unless you actually run mIRC, there isn’t a big problem though. Don’t know why the uninstall doesn’t work, but like FDISK says, all its files are in subdirectories, so if you deleted your mIRC directory, don’t worry.

[Monopoly_Money]

I’m no computer expert by far, so please bear with me. I downloaded ICQ, but couldn’t get it to work and couldn’t uninstall it. I have Windows 95 and the world’s wimpiest computer. It was on my Start menu, so I right clicked on it, clicked Properties, then Find Target. A window appeared with a dozen files, so I right clicked on a few carefully chosen ones, clicked delete, then was able to uninstall it from the Add/Remove programs. Many of my computer woes were solved after, such as error messages when trying to log off.
Maybe this website could be of some help: http://www.spywareinfo.com/

[Una_Persson]

*Originally posted by FDISK *
**mIRC itself is simply an Internet Relay Chat client. You really can’t be exploited through it. If you didn’t install it yourself, then most likely someone has installed it via a trojan horse to communicate with an application running on your system. Try using Moosoft’s “The Cleaner” to look for remnants of trojans, and make sure you update NAV’s virus definitions.

BTW, a legitimate installation of mIRC won’t show up in add/remove programs at all. It sits in its own directory, C:\mIRC, and doesn’t leave any files elsewhere or entries in the registry. It’s quite well behaved. **

Depends on what your definition of “expolited” is. Someone running zombie clients remotely on your machine to be used in DDoS attacks would qualify as an exploit in my book. See Steve Gibson’s article on this.

Just another reason I’ve created my own chat server and clients from scratch.

[Chronos]

Right, Anthracite, but mIRC still isn’t the program that was used to create the exploit. In your example, the blame would lie with whoever or whatever put the trojan there in the first place. mIRC itself isn’t a security hole, especially if you never run it.

And why would a DDoS trojan use mIRC, anyway? I thought those things just used “ping”. It seems like it would be a lot simpler…

[Una_Persson]

Chronos:

http://grc.com/dos/grcdos.htm

[Rex_Fenestrarum]

BTW, a legitimate installation of mIRC won’t show up in add/remove programs at all.

Wrong.

[Telemark]

Well, I ran the Cleaner over my system and it didn’t find anything. I’ve removed anything that looks like IRC from the system, but it still shows up in my Add/Remove Programs list.

Last night I got another notice from Norton that it had detected Backdoor.IRC.something virus in some files (which were in the printer directory) so I’m still getting attacked by something. Perhaps it’s time for a firewall.

Where exactly does mIRC install its files? I’ve done a pretty good search of the system and removed some files, but not sure if I’ve cleaned them all out.

Grrr, this is frustrating. Anthracite that link you posted is rather chilling.

[Telemark]

Just got a new set of messages from Norton; they always come in groups. Here are the latest set of virii, all found in the C:\WINNT\Fonts directory:

Hacktool.Flooder

Backdoor.IRC.Zcrew

IRC Trojan

So, I’m still suspicious of IRC (which I never use) and can’t seem to remove it. Any other suggestions on how to attack this problem?

[Boo_Boo_Foo]

Telemark, my friend? Please tell us what Operating System you’re running? Almost certainly, you have a “trojan” horse program being loaded at bootup time it seems to me. The rest of this post will help you I’m hoping…

For your reference, I own a software business which develops database systems for corporations which run over the web. Certainly, over the last 3 years, if there’s been a security hole which we could possibly have come up against, my employees and I have done the research and made the adjustments necessary to combat such holes… and it goes on still - every fortnight we have a security chat - we spend the whole day not doing programming but just searching the web for new dangers - if any.

Somethings to note, OK? Norton is a software tool, just like a word proccessor… it’s functions are different, sure, but it’s a software tool which depends in no small part on it’s future success by SCARING you into thinking the worst… if Norton can’t SCARE you, their sales will drop - so you should approach Anti-Virus software providers with a certain amount of cynicism.

Next, Norton’s anti virus service is very CPU hungry - I find consistently that it chews up 5% CPU on typical workstation PC - regardless of whether you’re online or not - such is it’s insistence on “second guessing” all the traffic which flows through your PCI bus.

Also, yes it’s true - Microsoft have justifiably earnt a LOT of shit which gets thrown their way - no questions about it. But to their credit, they DO implement fixes to holes in their OS and other assorted software packages like Internet Explorer when those holes are made public knowledge - they’re very pro-active about it actually. Almost every virus in the last 3 years which was designed to attack Microsoft machines did so thru the holes I just mentioned. If you make the effort to visit www.windowsupdate.com you’ll be astonished how easy it is to apply all the various Security Patches and System Packages - for free. And make no mistake, if you do so, you’ll almost certainly make Norton a redundant piece of software - this wasn’t true 6 months ago but it is now I feel.

That being said, as it stands, you’re concerned about things as they exist on your PC, right here, right now.

My single strongest bit of advice is this - use the Registry Editor to carefully observe what programs are being implemented at Startup time with, or without your knowledge. This, almost always, is the primary vector for nasty stuff - escpecially if “new infected files” are appearing on your PC even if you’re offline.

You’ll be wanting to analyse two major branches…

HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER…

The sub-brances are as follows…

Software :: Microsoft :: Windows :: Current Version :: Run

Now here’s what you do OK? In those branches you’ll se the bootup programs. You’re gonna want to make a backup of your Registry Files, and THEN, you’re gonna look for the files which are getting called at boot up time.

Some will be profoundly obvious and safe like the Norton programs. On the others, don’t delete them, but rather, MODIFY the keys - in particular, modify the parts which say “.exe” to “.fuckoff” or something like that. This way, you get to keep the key, and you can always do a search on “.fuckoff” again if you get lost. By doing this, you render the key inert, but you keep the key for future use if you wish to reactivate it again.

I’m sure your fellow Dopers will be able to help you if you require more assistance.

I promise to help if I’m here over the next few days.

[Noxxer2k3]

another way to find out what programs load when your computer starts is to goto start : run , and type in ‘msconfig’ (without the quotes) it will bring up a box with several tabs, one tab says “startup” that will have a list of different programs that start when your computer starts… although most trojans probly won’t be listed there because they load differently from what i understand. still good for getting rid of system resource hogs like yahoo messenger without having to sign into them or uninstall them.

[Mr2001]

Originally posted by Chronos
And why would a DDoS trojan use mIRC, anyway? I thought those things just used “ping”. It seems like it would be a lot simpler…

You can’t launch an attack from mIRC (unless you call a lot of failed connection attempts an attack), but a simple script could be used to coordinate attacks over IRC. That is, when you boot, the trojan could start mIRC, and the trojan-supplied script would connect to a server and wait for instructions.

[Telemark]

I’m running Windows 2000.

Thanks for all of your help. I realize that Norton is a tool and I need to understand it much more than I’ve understood it in the past. All of this has happened since I’ve gotten DSL last month, so I’m learning this stuff under the gun. I’m a UNIX programmer from way back, but I’ve never really had to understand Windows security, so I’m learning quickly.

My current Norton scan has found some infected files and I’ll take a look at them. I’m currently installing all the MS security patches and updates, something I certainly should have done before now. I couldn’t find anything obvious in the registry, but I’ll check it all again after the MS update.

Thanks all for you help. I appreciate it.

[Boo_Boo_Foo]

Well, the nifty thing about how a trojan works is that it wraps itself “around” a program file - so that when you activate that program file during the normal course of your work, both the virus, and the normal program are kicked into play.

Once the virus is active once again, it sets about infecting OTHER files.

And so, the most common form of attack is to infect a system file like rundll.exe for example, which gets called as a normal function of your bootup procedures. Or, to add a totally innocuous looking key in your bootup sequences which THEN calls rundll.exe as another example.

Telemark, my favourite platform for our various workstations and webservers remains Windows 2000 - in various incarnations such as “Professional”, “Server”, and “Advanced Server”.

If you’d like to send me a bitmap image of your “run” sections in your Registry Editor, I’d be happy to second guess for you. I could send you an example of mine to show you the trick on rendering bootup keys inert without totally deleting them. It’s a very good trick, because some programs look for the key, but don’t look at the contents of the key - and you can prevent further “auto bootup behavior” while also being able to selectively use a program at your convenience.

AOL’s AIM service is an example. It’s not malicious, but it INSISTS on creating an auto bootup key in “CURRENT USER” branch of the Registry Editor. By rendering the key inert, you can still use AIM at your convenience, but it will no longer bootup automatically.