mIRC Home    About    Download    Register    News    Help

Print Thread
mIRC files in C:\winnt\system32\drivers - trojan? #63701 11/12/03 03:22 PM
Joined: Dec 2003
Posts: 1
O
oceanclub Offline OP
Mostly harmless
OP Offline
Mostly harmless
O
Joined: Dec 2003
Posts: 1
While searching for the file "explorer.exe" on XP (due to it having a
high CPU usage), I found a copy in the folder
C:\winnt\system32\drivers. In this folder, I also found the following
files:

FireDaemon.exe
hexplore.exe
explore.exe
remote.ini
script1.ini
sec.bat
winini.bat

explore.exe had the name mIRC associated with it; doing a search for
it turned up the name of a trojan. Needless to say, this all looked
pretty suspicious. However, searching my registry turned up none of
the registry entries associated with this virus. And I run anti-virus
and anti-trojan software regularly, so am surprised nothing was
detected.

I found mIrc in the "Add/Remove Programs" dialog box, and I recall
installing IRC software a year or two back. (I removed it once found).
Is it possible this was a trojan, or does the legit mIrc install files
to the above folder, and therefore can be confused with the trojan?

Should I be worried, and if so, what should I look for, and can anyone
recommend a good anti-trojan program? (I moved from the now-default
Anti-Trojan 5.5.x to the new a(2)).

Would appreciate if anyone knowledgable about mIRC could reply,

Thanks,

P.

Re: mIRC files in C:\winnt\system32\drivers - trojan? #63702 11/12/03 03:29 PM
Joined: Jan 2003
Posts: 3,012
KingTomato Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2003
Posts: 3,012
To be on the safe side, i'd make a visit to www.trendmicro.com for a free virus scan. Its quick and easy, and should find anything you might want to know of. It's always nice to have a second opinion anyways.


-KingTomato
Re: mIRC files in C:\winnt\system32\drivers - trojan? #63703 11/12/03 05:52 PM
Joined: Aug 2003
Posts: 1,831
I
Iori Offline
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
"can anyone recommend a good anti-trojan program?"
http://www.simplysup.com/tremover

Re: mIRC files in C:\winnt\system32\drivers - trojan? #63704 11/12/03 06:37 PM
Joined: Feb 2003
Posts: 2,662
Raccoon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,662
To answer your question... No, mIRC does not install files in your \system32\drivers directory, or anywhere but the designated program folder. This is definitely a sneaky installation. Also search your harddrive for the file "mirc.ini" which can often locate a sneaky install.

Since you are using an NT flavor of Windows, you should benifit from the freeware program TCPView, available at www.sysinternals.com. This program will list all processes that are making or attempting to make an internet connection. If your little "drone" (irc trojan) is active and connecting to IRC, this will tell you.

Good luck.

- Raccoon


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Re: mIRC files in C:\winnt\system32\drivers - trojan? #63705 11/12/03 11:31 PM
Joined: Jun 2003
Posts: 23
M
Mouse_103 Offline
Ameglian cow
Offline
Ameglian cow
M
Joined: Jun 2003
Posts: 23
here is my advice is doing netstat and find the irc server that trojan is connected to.

if your connected to that irc server be sure to note that. if its public irc network like dalnet or efnet be sure to go to #help and inform an ircop. to find an ircop just do /stats p or /who o 0 ircops always have masked hosts like 'Oper' or Net-Admin. the ircops should remove the offending 'trojan bots' channel. there usually login and remove commands. the stuff are always visible and can be read easily if you know mirc scripting well. you could understand how mirc trojans works. if you got login to the trojans. you could do !remove or !- exit or !- quit

you also should set a strong password on your NT accounts winxp is similar to win2000. winxp do have NT accounts.
just delete files from your drivers dirs.

anti-trojan programs wont help anything because people who write trojans changes files all of the time. they even used AV's and anti-trojans programs to check their files.




Re: mIRC files in C:\winnt\system32\drivers - trojan? #63706 12/12/03 02:04 AM
Joined: Oct 2003
Posts: 80
R
RockHound Offline
Babel fish
Offline
Babel fish
R
Joined: Oct 2003
Posts: 80
mouse um going to an irc server and informing the ircop is not always the best idea. You see half the ircop out there do the rooting. They do it so ppl will join there server to make them look big. Thats with the smaller IRC netowrks anyway.

Best thing to do is remove it suck it up. then put on a firewall and set passwords for windows not common ones. do not use logins such as administrator or god or passwords such as 1234 or qwerty. last get a anti-virus not nortons. nortons will not pick the irc trojan. AVG 7 does.


RockHound
Re: mIRC files in C:\winnt\system32\drivers - trojan? #63707 12/12/03 02:18 PM
Joined: Jan 2003
Posts: 28
E
emkookmer Offline
Ameglian cow
Offline
Ameglian cow
E
Joined: Jan 2003
Posts: 28
i know those files
they are use for an xdcc bot called iroffer 1 of the most used fileserver bot that is
with other words you where hacked and use as an xdcc bot
some virus scanner will see it as a trojan but it isnt a trojan

to prevent this from happening again do as rockhond said
use a firewall and use not easy to crask passwords


Re: mIRC files in C:\winnt\system32\drivers - trojan? #63708 12/12/03 08:30 PM
Joined: Feb 2003
Posts: 2,662
Raccoon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,662
Heh, well one man's xdcc bot is another man's trojan. :tongue:


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Re: mIRC files in C:\winnt\system32\drivers - trojan? #63709 15/12/03 12:54 AM
Joined: Mar 2003
Posts: 160
Marantz Offline
Vogon poet
Offline
Vogon poet
Joined: Mar 2003
Posts: 160
Kind of looks like your machine got owned, those type of files are uploaded to directories for harmfull use, and they usually go undetected, i would also do a good port scan on yourself, see if anything is open that shouldn't be.