mIRC Home    About    Download    Register    News    Help

Print Thread
#66292 02/01/04 05:53 PM
Joined: Sep 2003
Posts: 3
B
Self-satisified door
OP Offline
Self-satisified door
B
Joined: Sep 2003
Posts: 3
Don't know if anyone else has received this message upon entering a channel or not, but I'm guessing its not a real patch as I've seen nothing about it here on the website or in the forums......

IMPORTANT: It has recently been reported that there is a major bug in -mIRC6.12, allowing malicous users to execute commands remotely, update your mIRC with a patch file you can get it from ~removed~ and help us eradicate this threat, ENJOY & Happy New Year! - Network Security Team

I've received that on several differnt networks, i'm gussing its a virus or something if you run the patch. As each person that i've received it from is only running version 6.12, that would seem to me to be a dead giveaway, but then alot of new(er) users would take what it says as true.

Hope this hasn't been posted before , I looked but couldn't find anything about it and hope it was right to post it, if not I appoligize for my mistake.

Last edited by Karen; 03/01/04 01:48 PM.
#66293 02/01/04 06:20 PM
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
it is possible that it is a patch, but i wouldn't trust it.


New username: hixxy
#66294 02/01/04 06:52 PM
Joined: Jan 2004
Posts: 2
S
Bowl of petunias
Offline
Bowl of petunias
S
Joined: Jan 2004
Posts: 2
The link contains a trojan/backdoor. It gives 404 msg when opened in Firebird browser, but I guess it downloads the file fine on IE. I downloaded the file via DAP, it's a 98KB exe file with a nice-looking mIRC icon.

Info from a friend:
[10:40:04] <Spaceman-Spiff> want the exe?
[10:40:13] <ai> why not
[%] successfully sent [mirc6.13.zip] (27.3kb) to ai at [13.6kb/s] in..::2 seconds::..
[10:40:44] <Spaceman-Spiff> nice mirc icon, it has XD
[10:41:27] <ai> also sdbot
[10:41:38] <ai> sdbot is popular as backdoor these days
[10:44:17] <ai> this time it isn't encryped
[10:44:24] <Spaceman-Spiff> ic
[10:44:42] <ai> so its much more lame attempt
[10:44:53] <Spaceman-Spiff> any removal method?
[10:48:00] <ai> remove the advapi service
[10:50:39] <ai> possible botnet: sexor.aix.za.org #test0r

hope that helps, thx to ai/hsim for the info

#66295 02/01/04 07:06 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
It would be preferred for very obvious reasons that you don't go pasting URLs which might be infected with viruses. Users without antiviruses are just as likely to click on them at these Forums than they are whilst on IRC.

If any official patches are released for mIRC, then they will be posted ONLY on this website. Seeing as only one patch has been released in the past, and that was for special reasons and it was years ago when mIRC wasn't as popular, future patches are not going to be released.

Anything which ends in .exe and is advertised to you privately by someone you do not know is very likely to be a virus, it's a popular file extension for them (but by no means the ONLY extension).

I tried the URL on IE 6 and it didn't work.

Regards,


Mentality/Chris
#66296 02/01/04 07:36 PM
Joined: Jan 2004
Posts: 2
S
Bowl of petunias
Offline
Bowl of petunias
S
Joined: Jan 2004
Posts: 2
I still have no clue why the url works for some ppl and gives 404 to others. Maybe it only works for IRC newbies? :P

Anyway, here's another lamer version of the message:
[ALERT] mIRC6.12 has a bad bug, causing laggy chatting, update your mIRC6.12 with a patch file you can get it from [url deleted] and that will update your mIRC to mIRC6.13, ENJOY smile

That one is more obvious that its a fake, since its using [deleted]...

Last edited by ParaBrat; 03/01/04 08:41 PM.
#66297 02/01/04 08:31 PM
Joined: Dec 2003
Posts: 11
S
Pikka bird
Offline
Pikka bird
S
Joined: Dec 2003
Posts: 11
The original one doesn't work because the domain name resolves to 127.0.0.2. I don't know if this is because of my antivirus software or the people who control the main domain name have been made aware of the abuse.

John.

#66298 02/01/04 11:11 PM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
Never mind...

<Deleted by DekuHaze>

Last edited by DekuHaze; 02/01/04 11:13 PM.
#66299 03/01/04 12:56 AM
Joined: Jan 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Jan 2004
Posts: 1
Well hello there!

I'm one of these newbies and i downloaded the patch. *lol* (I'm using mirc 3 days now... smile)

Okay, i deleted the advapi file. Any other things i should be aware of? What about the registry? In HKEY_LOCAL_MACHINE/SOFTWARE/microsoft/windows/currentversion/run and in HKEY_LOCAL_MACHINE/SOFTWARE/microsoft/windows/currentversion/runservice there's also a key? called advapi.exe. Delete it, too ?!

Hopefully someone can help,

Cheers
stupid

#66300 03/01/04 01:14 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
You should not play around in the Registry unless you know what you're doing, even if you know it's related to a virus it could cause damage.

I suggest you download a program like AVG, The Cleaner or SwatIT and clean your computer.

In future, do not:

- Click on URLs which are advertised to you, either in channel or in PM (Private Message).

- Accept files from people you don't know.

- Open emails from people you don't know, or open email attachments.

You should also always have a working and up-to-date AntiVirus program running on your computer at all times, and if it has an "Auto Protect" feature, have it enabled.

Happy chatting!

Regards,


Mentality/Chris
#66301 03/01/04 07:25 AM
Joined: Sep 2003
Posts: 3
B
Self-satisified door
OP Offline
Self-satisified door
B
Joined: Sep 2003
Posts: 3
sorry about posting the url, didn't even cross my mind to edit it out, but if one of the moderators would edit it out, i'd appreciate it.
Won't happen again.

#66302 03/01/04 04:17 PM
Joined: Dec 2002
Posts: 177
K
Vogon poet
Offline
Vogon poet
K
Joined: Dec 2002
Posts: 177
No problem, already done. Lots of viligant members here help protect others. grin

#66303 03/01/04 08:47 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Just as an added note for new users, if there was a mIRC v6.13 or any other version, it would be found on www.mirc.com so always check there rather than trusting total strangers who urge you to download something


ParaBrat @#mIRCAide DALnet
#66304 04/01/04 02:25 PM
Joined: Aug 2003
Posts: 309
N
Fjord artisan
Offline
Fjord artisan
N
Joined: Aug 2003
Posts: 309
i have seen this before on other networks. including my own. on the network i run we have been getting visits from what we like to call drones. they been going around advertising a url that seems to go to an error page but in reality its a trojan. without u knowing it u install a virus. this virus installs into a hidden folder and will run itself everytime u log online. NONE of the antivirus software out there have a definition for this trojan yet. i have tried them all... clean, avg, norton, mcaffee yadda yadda yadda. so in short dont click on any urls unless u know exactly what it goes to.


-Nick (Darko)
-Admin irc.aussiechat.org
-#Chatzone, #helpdesk
#66305 04/01/04 08:16 PM
Joined: Jan 2004
Posts: 2
N
Bowl of petunias
Offline
Bowl of petunias
N
Joined: Jan 2004
Posts: 2
But I have already d/l it and it affecting my online connection how can I get rid of it? Please help me!!

#66306 04/01/04 09:06 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
please read my reply to your pm as well as the links that are posted in this thread and others on the subject


ParaBrat @#mIRCAide DALnet
#66307 26/01/04 08:27 AM
Joined: Dec 2003
Posts: 21
E
Ameglian cow
Offline
Ameglian cow
E
Joined: Dec 2003
Posts: 21
I perfer manual way of registry cleaning.

I wont trust the registry apps or any apps that will clean virus for you.

SDbot virus is easy to clean by manual way.



ELY M.

Link Copied to Clipboard