mIRC Home    About    Download    Register    News    Help

Page 1 of 2 1 2 >
Topic Options
#51524 - 27/09/03 12:34 AM Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
I have a scripted virus for mirc on my computer, now i working on a cleaner for that virus, the problem is that the script have this line:

alias unload { /echo -ae *** Unloaded script ' $+ $2- $+ ' | halt }

and if you try to unload it it just do a echo then a halt, but the file is still there, and i cant get it to work with /!unload file.name .. any suggestions? smile
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51525 - 27/09/03 12:36 AM Re: Virus
r0ck0 Offline
Fjord artisan

Registered: 22/06/03
Posts: 242
* RoCk waits for the punchline

Top
#51526 - 27/09/03 12:47 AM Re: Virus
pheonix Offline
Hoopy frood

Registered: 06/05/03
Posts: 2265
you scripted a virus, and you want us to help with it?
_________________________
new username: tidy_trax

Top
#51527 - 27/09/03 12:52 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
No, i found it on the net.. this open sockets, then the dude that made it have entered stuff with halted events.. so if you do a /socklist then he have a alias that answwer on that.. and i wanted to get som suggestions how to UNLOAD the script/file.. but he have a alias that halt the unload command.. so i dont know how i can bypass the alias code, i writing a CLEANER that will remove the file, and also clear the %var's.. and make the victim be able to get free from this virus.. and this it only to help ppl.. if you dont know how to script or totaly new on this, then get this file.. then it wont help to reinstall your mirc.. and it wont help to just delete the files.. cos this crap writes to many files in ur system.. so i will clean them, then after thats done i want to unload the file.. and that makes the computer safe again.. the dude did this script to flood ppl with.. he have allot of commands like: !packet and stuff.. and it grabs the IP of the victim and start to flood it.. so i dont trying to make a virus.. i trying to make a thingie that REMOVES it.
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51528 - 27/09/03 01:05 AM Re: Virus
Iori Offline
Hoopy frood

Registered: 30/08/03
Posts: 1831
Try this...
Code:
alias restore { alias $$1 }
Then you just use /restore unload

edit
Never mind, it won't work on aliases in remote scripts smirk

edit 2
Guess you could do something like..
Code:
alias restore {
  var %a = $+(",$isalias(unload).fname,")
  if $read(%a,w,alias*unload*) {
    write -dl $+ $readn %a
    .reload -rs %a
  }
}
The reason for the /reload is to stop warnings about "file X has changed.."




Edited by Iori (27/09/03 01:30 AM)

Top
#51529 - 27/09/03 01:08 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
Thnx i try that.. its sad to see like 2000+ clones from ppl that have this crap on there computers, just hope that my file can help som of them out.. have been ppl on here that have asked why they cant uninstall the mirc and so on.. this is the reason..
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51530 - 27/09/03 01:39 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
Nope didnt work.. it still just show that echo.. and the file remain loaded in mirc.. and if i use /!unload filename then i get

* /unload: insufficient parameters

so dunno crazy
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51531 - 27/09/03 01:41 AM Re: Virus
Collective Offline
Planetary brain

Registered: 10/12/02
Posts: 3138
Loc: London, UK
Use /!unload [color:red]-nrs file.name[/color].

Top
#51532 - 27/09/03 01:45 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
Nope.. that didnt work ether..

* /unload: invalid switch

and it dosent mather how i try, that file is loaded befor the "clean" file i doing.. so it takes that unload alias first.. so i cant get it to like ignore the alias in the first file.. so dunno how i can make it unload the file in a safe way.. smirk

alias remote { .remote $1- | .remote on | /echo -ae *** Remote is $1- }

as u see he have made it like it should look like your remote is set off.. but he temper with every damn alias command.. or make them act like he wants.. so dosent mather if you type /remote off, it still will be set on.. same for all commands i can think off.. and i cant get the damn thing to ignore the alias in hes file.. and i cant unload it in any easy way..


Edited by sparta (27/09/03 01:56 AM)
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51533 - 27/09/03 01:56 AM Re: Virus
Collective Offline
Planetary brain

Registered: 10/12/02
Posts: 3138
Loc: London, UK
Try removing the n switch then, if you're on an old version (pre v5.91) of mIRC.

Top
#51534 - 27/09/03 02:09 AM Re: Virus
Iori Offline
Hoopy frood

Registered: 30/08/03
Posts: 1831
If you use the code in my second edit, you should then be able to use /unload -rs "filename" (no "!")

Top
#51535 - 27/09/03 02:35 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
nope.. tryed it.. didnt remove anything.. and it didnt reload the file, and no error in the status win..

and if your code should work.. shouldent it look true the files in mirc dir and then check for the "alias unload" ? i cant see that it doing that ether.. and it dont show anything in the debug window or in status.. it doing somthing, but not the thing i want it to do smile
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51536 - 27/09/03 02:41 AM Re: Virus
Iori Offline
Hoopy frood

Registered: 30/08/03
Posts: 1831
This is what I did to test it..
In script3.mrc I put
Code:
<a bunch of code>
alias unload {
  echo -s * blah
  halt
}
<a bunch more code>
In a different script I had
Code:
alias restore {
  var %a = $+(",$isalias(unload).fname,")
  if $read(%a,w,alias*unload*) {
    write -dl $+ $readn %a
    .reload -rs %a
  }
}


Then, I typed //restore | unload -rs "D:\mIRC files\m610\Scripts\script3.mrc"
The result:
-
* Unloaded script 'D:\mIRC files\m610\Scripts\script3.mrc'
-

Top
#51537 - 27/09/03 02:48 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
All i get is the echo from the file i want to unload frown by the way, its a ini file..
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51538 - 27/09/03 02:52 AM Re: Virus
Iori Offline
Hoopy frood

Registered: 30/08/03
Posts: 1831
then use
if $read(%a,w,*=alias*unload*) {

in the restore alias. smile

Top
#51539 - 27/09/03 02:55 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
* /if: 'unload' unknown operator (line 97, script.mrc)

that mrc file is my script i writing on.. so ignore that wink
and i added the line so now it look like

Code:
alias restore {
  var %a = $+(",$isalias(unload).fname,")
  if $read(%a,w,*=alias*unload*) {
    write -dl $+ $readn %a
    .reload -rs %a
  }
}
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51540 - 27/09/03 02:56 AM Re: Virus
Iori Offline
Hoopy frood

Registered: 30/08/03
Posts: 1831
Or better..
Code:
alias restore {
  var %a = $+(",$isalias(unload).fname,")
  if $read(%a,w,alias*unload*) || $read(%a,w,*=alias*unload*) {
    write -dl $+ $readn %a
    .reload -rs %a
  }
}
..and cover both possibilities. smile

Top
#51541 - 27/09/03 02:58 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
Same error on that one.. "and yes, remote is on"
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
#51542 - 27/09/03 03:00 AM Re: Virus
Iori Offline
Hoopy frood

Registered: 30/08/03
Posts: 1831
Quote:
* /if: 'unload' unknown operator (line 97, script.mrc)

That is not from that code. What is line 97?:)

Top
#51543 - 27/09/03 03:05 AM Re: Virus
sparta Offline
Planetary brain

Registered: 22/02/03
Posts: 3432
Loc: Sweden/Borlänge
if $read(%a,w,alias*unload*) || $read(%a,w,*=alias*unload*) {

thats line 97 in my script file.. have search fetures and stuff to find the file i want to unload abow.. no reason to try to clean a file if its not there.. i can put the script in the top if u like.. but it would give the same error..

* /if: 'unload' unknown operator (line 3, script.mrc)

when i puted it in the start of the file..

alias restore { <<-- line 1
var %a = $+(",$isalias(unload).fname,") <<-- line 2
if $read(%a,w,alias*unload*) || $read(%a,w,*=alias*unload*) <<-- line 3
{


Edited by sparta (27/09/03 03:07 AM)
_________________________
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }

Top
Page 1 of 2 1 2 >