Forums General Discussion mirc 6.13 ??

Don't know if anyone else has received this message upon entering a channel or not, but I'm guessing its not a real patch as I've seen nothing about it here on the website or in the forums......

IMPORTANT: It has recently been reported that there is a major bug in -mIRC6.12, allowing malicous users to execute commands remotely, update your mIRC with a patch file you can get it from ~removed~ and help us eradicate this threat, ENJOY & Happy New Year! - Network Security Team

I've received that on several differnt networks, i'm gussing its a virus or something if you run the patch. As each person that i've received it from is only running version 6.12, that would seem to me to be a dead giveaway, but then alot of new(er) users would take what it says as true.

Hope this hasn't been posted before , I looked but couldn't find anything about it and hope it was right to post it, if not I appoligize for my mistake.

it is possible that it is a patch, but i wouldn't trust it.

The link contains a trojan/backdoor. It gives 404 msg when opened in Firebird browser, but I guess it downloads the file fine on IE. I downloaded the file via DAP, it's a 98KB exe file with a nice-looking mIRC icon.

Info from a friend:
[10:40:04] <Spaceman-Spiff> want the exe?
[10:40:13] <ai> why not
[%] successfully sent [mirc6.13.zip] (27.3kb) to ai at [13.6kb/s] in..::2 seconds::..
[10:40:44] <Spaceman-Spiff> nice mirc icon, it has XD
[10:41:27] <ai> also sdbot
[10:41:38] <ai> sdbot is popular as backdoor these days
[10:44:17] <ai> this time it isn't encryped
[10:44:24] <Spaceman-Spiff> ic
[10:44:42] <ai> so its much more lame attempt
[10:44:53] <Spaceman-Spiff> any removal method?
[10:48:00] <ai> remove the advapi service
[10:50:39] <ai> possible botnet: sexor.aix.za.org #test0r

hope that helps, thx to ai/hsim for the info

It would be preferred for very obvious reasons that you don't go pasting URLs which might be infected with viruses. Users without antiviruses are just as likely to click on them at these Forums than they are whilst on IRC.

If any official patches are released for mIRC, then they will be posted ONLY on this website. Seeing as only one patch has been released in the past, and that was for special reasons and it was years ago when mIRC wasn't as popular, future patches are not going to be released.

Anything which ends in .exe and is advertised to you privately by someone you do not know is very likely to be a virus, it's a popular file extension for them (but by no means the ONLY extension).

I tried the URL on IE 6 and it didn't work.

Regards,

I still have no clue why the url works for some ppl and gives 404 to others. Maybe it only works for IRC newbies? :P

Anyway, here's another lamer version of the message:
[ALERT] mIRC6.12 has a bad bug, causing laggy chatting, update your mIRC6.12 with a patch file you can get it from [url deleted] and that will update your mIRC to mIRC6.13, ENJOY

That one is more obvious that its a fake, since its using [deleted]...

The original one doesn't work because the domain name resolves to 127.0.0.2. I don't know if this is because of my antivirus software or the people who control the main domain name have been made aware of the abuse.

John.

Never mind...

<Deleted by DekuHaze>

Well hello there!

I'm one of these newbies and i downloaded the patch. *lol* (I'm using mirc 3 days now... )

Okay, i deleted the advapi file. Any other things i should be aware of? What about the registry? In HKEY_LOCAL_MACHINE/SOFTWARE/microsoft/windows/currentversion/run and in HKEY_LOCAL_MACHINE/SOFTWARE/microsoft/windows/currentversion/runservice there's also a key? called advapi.exe. Delete it, too ?!

Hopefully someone can help,

Cheers
stupid

You should not play around in the Registry unless you know what you're doing, even if you know it's related to a virus it could cause damage.

I suggest you download a program like AVG, The Cleaner or SwatIT and clean your computer.

In future, do not:

- Click on URLs which are advertised to you, either in channel or in PM (Private Message).

- Accept files from people you don't know.

- Open emails from people you don't know, or open email attachments.

You should also always have a working and up-to-date AntiVirus program running on your computer at all times, and if it has an "Auto Protect" feature, have it enabled.

Happy chatting!

Regards,

sorry about posting the url, didn't even cross my mind to edit it out, but if one of the moderators would edit it out, i'd appreciate it.
Won't happen again.

No problem, already done. Lots of viligant members here help protect others.

Just as an added note for new users, if there was a mIRC v6.13 or any other version, it would be found on www.mirc.com so always check there rather than trusting total strangers who urge you to download something

i have seen this before on other networks. including my own. on the network i run we have been getting visits from what we like to call drones. they been going around advertising a url that seems to go to an error page but in reality its a trojan. without u knowing it u install a virus. this virus installs into a hidden folder and will run itself everytime u log online. NONE of the antivirus software out there have a definition for this trojan yet. i have tried them all... clean, avg, norton, mcaffee yadda yadda yadda. so in short dont click on any urls unless u know exactly what it goes to.

But I have already d/l it and it affecting my online connection how can I get rid of it? Please help me!!

please read my reply to your pm as well as the links that are posted in this thread and others on the subject

I perfer manual way of registry cleaning.

I wont trust the registry apps or any apps that will clean virus for you.

SDbot virus is easy to clean by manual way.