Forums General Discussion malware.Bkdr_Ircflood.X

I recently scanned my system with TrendMicro's HouseCall, and it found malware.Bkdr_Ircflood.X running in memory (and cleaned it). It never found any files that were infected with the virus, just said it was running in memory. I decided to format (it was time to format anyway), and after installing Windows XP and mirc 6.14 (did the same with 6.12), HouseCall found it again.

I was wondering if this was a HouseCall bug or if anyone else had this problem?

Sounds like it could be a false positive where the scanner thinks it found something from code (in a file) that mimics a virus. Did it find it in a mirc file or a mirc script (or neither)?

EDIT - if you check the TROJAN INFO link, you can see a few other places to try and scan with for more of a well rounded idea/opinion

Thanks for the reply! It didn't find either mIRC itself or an mIRC script (didn't have one installed at time of scan). When it was scanning memory and system files, it would find malware.bkdr_ircflood.x if mIRC was running. If mIRC wasn't running at the time, it wouldn't find it.

I'm also scanning using tools from the thread you link right now. Of the few that have completed, only HouseCall house found this virus. I'm beginning to think that it is indeed a false positive detected by HouseCall.

Indeed, to follow on from above, it's always good practice to use more than one antivirus and/or trojan scanner. 'False positives' are common, and you can never be too safe.
The opposite can be true aswell whereby an antivirus will not detect a virus but another one will. If the AVs you have, have an "Auto Protect" feature then you should have it enabled too.

Stay safe

Regards,

Hello,

I'm having the exact same problem with the TrendMicro's HouseCall scanner. Everytime I open mIRC I get the BKDR_IRCFLOOD.X virus as the same problem you have. I did get rid of the ieexec.exe program, checked my registries to see if it's infected, but I found nothing. I too believe that the scanner is Fasle. If you happen to find a scanner that also picks BKDR.IRCFLOOD.X, please reply or e-mail me @ jamesbond236@hotmail.com with a apporiate title regarding the virus BKDR_IRCFLOOD.X which appears on the TrendMicro's HouseCall scanner.

Thanks,
- Jay

It's still a good virus scanner and is widely used even if it does turn up some wrong results - obviously it's just sensitive. If you simply scan with 2-3 of the virus scanners that appear in the Trojan resources thread you should know if you're clean or not.

Just an FYI, I wouldn't suggest posting your email on the public Forum, spam bots crawl the web and pick up those emails subsequently spamming them.

Stay safe

Regards,

I've come up with the same. Digging through some logs and stuff, here is what is setting it off:

Debug Information Level=0
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\DefaultIcon]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\command]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Application]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\ifexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Topic]
BackupRegKey[HKEY_CLASSES_ROOT\.cha]
BackupRegKey[HKEY_CLASSES_ROOT\.chat]

and

Damage Cleanup Engine (DCE) 3.5(Build 1119)
Windows XP(Build 2600: Service Pack 1)

Start time : Fri Mar 26 02:49:08 2004


Load Damage Cleanup Template (DCT) "H:\WINDOWS\tsc.ptn" (version 298) [success]
BKDR_IRCFLOOD.X[virus found]
-->delete registry data("HKEY_CLASSES_ROOT","ChatFile\DefaultIcon",""E:\mIRC\mirc.exe"") success
-->delete registry key("HKEY_CLASSES_ROOT","ChatFile","") success
-->delete registry key("HKEY_CLASSES_ROOT",".cha","") success
-->delete registry key("HKEY_CLASSES_ROOT",".chat","") success

Complete time : Fri Mar 26 02:49:14 2004

Execute pattern count(718), Virus found count(1), Virus clean count(1), Clean failed count(0)

Yes, I also have received the BKDR_IRCFLOOD.x, and only Trend Micro seems to be finding this file, and each time it's Housecall removes it, and I reboot my computerand this file shows up again!

I have used NAV 2004 Pro, KAV, McAfee, AVG, Pest Patrol, Spybot Seach & Destroy, and Trojan Hunter, the GFI Online Trojan Scanner, and none of these showed BKDR_IRCFLOOD.x!

Is BKDR_IRCFLOOD.x actually a file, much less a form of malware? I have spent the better part of the past 5 hours scouring my two computers and notebook here at home.

Jammy

I couldnt tell you as ths is not my area of expertise (aka how trojans work and what their filenames are called etc)

CLICK

@rew:
Debug Information Level=0 etc.
So it's harmless?

Like almost everyone else I too have that backdoor on my system. Only trend micro seems to find it, but not on every system. Even at home, where I have 3 different computers, just 1 is "infected".
Though I think nothing is wrong, (using cmd and looking at netstat gives on open connection I didn't open myself), I do found something else. When connecting to irc.quakenet.org and joining #5on5 I got G-Lined. (Probably just an on join G-Line).
Still it's weird that everytime you start mirc again, you have been "infected" again.

Thanks! But ya know that I have never had any of those entries in my registry!!! I get so tired of manually going to my registry only to not find anything.

Trend Micro may have found something but how come none of the other AV programs can find anything?

Another reason why I agree that this is just a false positve.

Jammy

it's not at all uncommon for one AV to find something that another one doesnt. have you contacted trendmicro to ask them to investigate whether its a false positive? don't just assume it is. altho, if it was something within the basic mIRC (as downloaded from mirc.com) triggering it, then seems like everyone with mIRC who uses housecall would get the same results

I too have had this "virus". However, for me it only comes back after I restart mirc. If I start mirc, exit, clean it, restart mirc....its there again. Dont open mirc, it doesnt appear!

I have none of those registry entries mentioned, nor the .exe file. Fortunately, I found this thread before I tried a format. Think I might try emailing Trend Micro about this.

kilo

Have'nt you guys experienced any effects from the malware ?

For me the malware deleted all my Internet explorer Favorites ( which was extremely frustrating) and changed my startingpage.

I think what most of these guys are saying is that Trendmicro is turning up a confirmed infection when actually, they are not infected - meaning they would not suffer.

Perhaps you really were infected and therefore, you did.

Hope you manage to get back on track though :-)

Regards,

I have the same problem..can´t anyone help cleaning this virus?

CtrlAltDel provided a link to trendmicro that details how to clean that virus if you are in fact infected with it. Unless every file and all registry entries are removed, each time you open mIRC the trojan will restart.

Whether there is something triggering a false positive in puters that arent actually infected, i dont know

i have the same problem,

i find out that this worm is creating 3 files in folder %windows%\temp
files are: mirc.exe , lol.exe and lol.bat

if i open any txt file , my system is shuting down (load at 1st the lol.bat file, and then the mirc.exe and lol.exe)

- trendmicro is the only tool to find this worm (but he didnt say what file is infected, only "systemfiles")

if i reinstall windows , i solved this problem, or i get this worm again if i connect to IRC ?

sorry for my bad english
best regards
Whity

You have to delete Windows\System32\notepad.exe which is a self extracting file - virus. You can either:

1) replace this file with the standard Windows/notepad.exe

2) delete any reference to 'System32\notepad.exe' in your registry. When you do that, if you try and open a txt file, windows will ask you to select a program to open it with - just choose Windows\notepad.exe

"Good day!
I apologize for the inconvenience we are causing you. Please place the mIRC executable in the exception list to avoid the false detection:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=17323
In the meantime, we will inform our virus doctors regarding this problem so that they can analyze it.
Thank you for using Trend Micro for your computer protection software. Please do not hesitate to let us know if you have further inquiries. Other means of reaching our office are indicated below.
Regards,
Trend Micro, Inc.
John Lolin
Consumer Support Team"

wel ... ok ? dslreports

thanks for the info, just saw it today myself. hopefully someone will keep us updated with what TrendMicro's further analysis comes up with.

Word of caution: its always best to thoroughly check for the items that are listed as being part of this or any virus to be on the safe side. Dont just assume anything found is a false positive until you are sure.

the soloution was great but only intended for trend 2004...i have an updated trend 2002 and still i get a series of dos attacks whenever i log on to mirc so i have to reboot again. i tried looking for the exception folder myself and found it and included the mirc folder but still after a few minutes logging in it..same result..dos attacks..then reboot. thanks for the info and i apologized for asking...i must accept im a newbie to pc security. good day!

If you are re-installing mIRC from an executable that you have stored on a CD somewhere, then maybe that executable is infected - probably downloaded from a site other than those specified at www.mirc.com.

If those 3 files keep reapperaing even after a re-install, then I'd redownload the mIRC installation program from a reputable source!

wow there is still no fix for this?

Yes there is. After just a quick look, I believe that this is a false positive. At least I hope.

The solution to this "virus" appears to be to install version 5.7.

Something in the registry I think that was added in version 5.8 and above, or something appears to trigger the Trend Micro alarm. I'm not sure what this could be, perhaps it is the registry keys indicated in the previous post.

I have this, too.

And I just got this yesterday night when I clicked on a link in a channel. It was from a person I know so, I didn't think it was fishy. Also, once you are infected w/ this, you advertise that link at certain intervals and only other ppl can see that link and not you, so you don't know about it.

I never had anything of this sort before so I _don't_ think this is a false positive.

I have also come to the following conclusion (like some before):

-it's a mirc backdoor.
-it doesn't self-re-install after booting your comp.
-it does that only after mirc.exe is executed.
-so far, only trend micro has picked this up.

*********************************

I went to this site for help, http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X (someone here posted it).

But, I am having some problems w/ their manual removal.



I can't find a file named "ieexec.exe."



Again, I didn't have ieexec.exe key in there. Although, my key had " -no connect" at the end. Does anyone know what that means? I removed. mIRC seems to be working fine so far.



I don't have a key named "chatfile."

And similar problems w/ the rest of their solution.

I am actively seekying a resolution to this and will post when I find something new.

*sigh*

as i said in an earlier post, that trojan does exist in the wild, so its always possible some users are actually infected. Its only been happening recently with trendmicro's housecall that some ppl are being told they are infected with it but when they check, they dont have any of the files or registry changes noted as being dropped by that trojan. Trendmicro has said their virus doctors are investigating to see if there is something triggering a false postive. Until someone gets a response from them with the results of their analysis, we can only speculate.

Hi. I'm brand new to this board, but I've been on mIRC a good six years now. I know better than to accept files ppl send to me without my having asked for them. I know better than to click on url's posted by just anyone in a channel. I know better than to type whatever someone may say to type. I too am having the BKDR_IRCFLOOD.X problem with trend micro. This time though, I watched carefully (for once) and the message just said HouseCall had found a malware.BKDR_IRCFLOOD.X and had cleaned it. It didn't say where it was found or which file it was found in. So, I went back to mIRC, and connected to my favorite server, then disconnected, and sure enough, it happened again. So, again, I reconnected to mIRC and disconnected. Then I went through the regedit procedure, and lo and behold none of the items mentioned by Trend Micro (or HouseCall whichever they prefer to call themselves) were listed in the regedit area. Therefore, my conclusion is, yes it, in my case at least, is a false alarm. (I used to run Pc Cillen II years ago, back in the days when puters wore animal skins, and it gave a false positive on an animated card a friend of mine sent to about six of us. Everyone else was running Nortons or Macafees, but me, and their a/v proggies did not hit on that card as being a virus. It was the title that set it off for me (apparently PC Cillen was super sensitive back then?) I spent something like four hours online with a friend that night trying to figure out if I had been infected or not (I was a true newbie in those days). I have to wonder if all of us who are having this problem are using the same version of mIRC? I'm running 6.12. I d/l mine from the official website too. Perhaps we're the only ones affected and therefore it's some sort of a benign glitch in the mIRC program itself??? Any thoughts (afterall, I may have been around the block a few times on mIRC, but I'm no puter pro for sure). I've been hit with so many things, and luckily my e_trust program has pulled my fat out of the fire each time. Anyway, I've rambled on enough for the new kid on the block. And thanks to whoever it was that posted those links for other sites offering free online scans. I ran one of the spy bot checkers (whatever the tecchie term is), and I am free and clean of ickies like that too...thanks again!
ouizee

its only been happening recently, and reports from users say its happening on more than one version of mIRC. I use housecall regularly and checked for all the files and registry entries before using it this time. (last time i had no probs) None present. Had the same thing happen that you and others report using Housecall. Opened mIRC (didnt even bother to connect), checked again, ran the scan again. Same thing. While i am inclined to agree it is indeed a false positive for many ppl (especially since no one is more neurotic about avoiding potential for trojans than i am) until Trendmicro's virus docs figure out what's going on we're making educated guesses. Check it out, run a couple other things to be sure, and wait for them to let us know their findings. I'm sure if it is a false positive they will make the necessary tweaks.

I'm having the exact same problem as johnbull. I've run every free AV program I can get my hands on. I've also run Spybot and Ad-Aware, yet only trendmicro finds it, and my typical trendmicro run ends up with the same results as john's.

For the most part, I believe it is a false positive, yet for some reason I've been mysteriously k-lined from a server I very rarely join on plus the servers I idle on frequently, I tend to get nickserv killed and I get more software connection aborts. Before I noticed I had this malware.bkdr_ircflood.x on my computer, I hardly ever had any of these problems. Now they happen 1-2 times an hour.

I'm starting to get worried, because I have no clue where this trojan is at, if I do, in fact, have one. I hope someone finds an answer quick.

I wouldn't mind at all if this was a false positive but, the thing is "Why now?"

I've been scanning my comp w/ trend micro for a long time and did couple of days before mirco caught it.

And another thing, right now, there are so many of these links running around rampant on mirc. I've never seen so many infected ppl (ppl advertising, which they can't see).

Now, if I am not infected w/ anything then why was I advertising the infection borne link?

My guess is that this is opening a port (obviously). It's only a matter of time when he installs a trojan through that port. So, what I do is this; scan after I connect to mirc (don't have to scan the whole hd just till MT removes this thing.)

AV constantly add things, i didnt have any problem a couple days before either. Its always possible someone is actually infected, but when none of the files or registry changes are present, ppl cant help but wonder if its a false positive. they do happen

Let me begin by saying I've read every post here and still am not sure what to believe

One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert

the virus is worm_thrax.a

http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X.


I'd really like any information about this.

Thank you for reading.

Read this thread, http://www.esreality.com/?a=post&id=647799 , too.

Some of these guys ARE infected with a " wsz32.exe."

Again, I found nothing of the sort.

simular but would like to add:
using xp pro

when i found that there was no 'chatfile' key in my registry, i did a system restore to a point before i had the virus and the chatfile key was there. kinda made me doubt that this is a false positive.... I then un-did the system restore and did the following.

a registry search [start-run-regedit-click edit-find-then type in the file name] for the IEEXEC.EXE file and found it along with BKDR_IRCFLOOD* and malware.BKDR_IRCFLOOD.* Next i removed those 'entrys' from my registry, just deleted the info and left the field blank.

Today i did the same registry search and the IEEXEC.EXE file is back but the other two files were not present.

During all of this i countiued to scan using trendmicro and the 'malware cleaned' pop up would occure every time even though i had removed the files from my registry.

if this is a false positive, it sure is an active one!!!

I really do think this is a false positive for some. For those like me, (where during the "system file" search, which is prior to searching any files, it says "found and cleaned malware.Bkdr_Ircflood.X", but does not list any files, and then the check runs through all files on the hard drive and finds nothing. I checked on the page given earlier "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X" which lists details about the virus. Under my registry entry, the default points to mirc.exe like it should, and not ieexec.exe like the page says it does. Also, I think I know why everytime you restart mIRC it will re-find the virus and clean it again. On that same page it talks about many registry locations of "chatfile...". Well apparently, when you start up mIRC, all these entries are created. I checked them, and they all pointed to mirc.exe and not ieexec.exe, however, I believe that the trendmicro scanner is seeing these entries and assuming that it is the virus, and deletes those entries. Because after I run the virus scan and it says it cleaned it, I can no longer find any entries of "chatfile...". However, again if I close mIRC and restart it, those entries are back. I think this is where the false positives are coming from. Just a guess. Anyone care to comment on this? Please let me know, if you are like me, and have to same thing, with those reg entries reapearing everytime you start mIRC, but with them pointing to your mirc.exe and not an ieexec.exe. Thanks.

PS. This is not directed to any one person. Just to those that are having a similar situation where NO FILES are listed as infected, just during the "system file" scan at the beginning.

One final thing, just so someone can verify this for me. I have mIRC version 6.14 downloaded from mirc.com and installed. My mirc.exe has a MD5 Sum of: 31F010FCF0B67737B04F3B8F2C2639F5
If someone else who does NOT have this problem can check theirs and see if it matches mine, that would be great. Thanks.

This is starting to really annoy me.. I've done everything I can to get rid of this. I've found nothing that housecall says I should find. No virus's trojans worms, nothing. Yet I still get this msg when I scan.. So is this something we can ignore?

Id say (after all this time) if trend still finds issue BUT when you follow their advice you see none of the harmful things (files/entries) that you should keep it in mind, but not worry about it as much as it (to me) SOUNDS like a false positive. I figure they'll figure this out soon and then we can be done with this once and for all lol

im not to sure about this as i have had this deteced on my system, like everyone else i ran norton and it found nothing related to this virus but trend picked it up. the problem im having is that i found a file called NOTEPAD.exe so i deleted it, i also found loads of registry entries relating to it. And also found a funny entry in startup. the problem im having is that i cant get rid of it either but mine seems to be doing something, it wont let me speak to anyone on irc they cant hear me and i cant see any txt other than joins/quits in every channel, this is really annoying anyone else had this problem from the virus ???

Britneyfan: realize that the earlier post was not referring to the valid MS windows application also called notepad.exe, which is in the windows directory. He was referring to one apparently found in windows/system32 (altho i'm not familiar with that issue so i cant comment further) I dont know which it is you found.

there are two issues. some ppl are actually infected by the trojan which drops a modified mIRC (and modifies the mIRC icon) and creates the files/registry entries detailed at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_IRCFLOOD.X&VSect=T You can read there what the trojan does.
Others are told its found, but have none of the mentioned entries/files. Whether its a false positive being triggered by similarities or not, we can only wait for Trendmicro to say so and patch for it. Those ppl are also not having any problems on IRC such as you describe, so yours may be a diff issue

Is the problem only in channels? are you able to msg ppl? have you tried other networks? do you see any error msgs in your status window? What is the "funny entry" that you have in startup?

this may sound silly, but it wouldnt hurt to check your colors to be sure you havent set others text the same color as your background (hold down your alt key and click the k key to see the colors dialog or click on the icon that looks like crayons)

I appear to have notepad.exe in both c:\WINNT and in c:\WINNT\System32 and both are legitimate Microsoft Notepad executables so it appears that that bares no significance...

Edit:

OS of machine in question: Win2k SP4
OS installed: 4 days ago

ty for the info Deku, i run 98se and only have it under windows. i'm not sure what the post about it being in system32 is all about, since i'm not familiar with whatever trojan they mean. Mainly i wanted Britneyfan to be aware there is a legitimate MS notepad executable

I just wanted to note that no one has responded to my orignial post. I do am detecting Bkdr_Ircflood.X, but there are some additional/ different things I'm experiencing that might be to everyones interest. The virus I mention below is also IRC related, take a look
:

Let me begin by saying I've read every post here and still am not sure what to believe

One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert

the virus is worm_thrax.a

http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X.


I'd really like any information about this.

Thank you for reading.

Speaking of notepad.exes. I have an extra one right now, in C:\WINNT\system32\dllcache. Before, I know for sure, I had only 2; one in c/winnt and c/winnt/system32. Anyone else have this?

I use win2k.

I don't have anything mysterious in my run/registry/sys memory. But, my comp's acting funny. For the love of my life I can't figure out how I lost a whole album (12songs ). This just paranoia. And my HLIT is all messed up. when I open it, it doesn't show any of my fav but, fav.dat is there w/ everything in it, the menu at the bottom is gone. It was working fine yesterday.

Perhaps formating is long overdue.

*********************

Btw, I heard that

/remote off
/timers off

are good commands to secure mirc.

Of course check to see if any of the files/registry entries listed are on your computer. I'm afraid the only place any of us can get any info on if this one is a false positive is from Trendmicro. Have you contacted them to ask?

Since the trojan you referred to seems to drop modified mirc.ini and script.ini, i'd also take a look at the ones you have. If they look like they should, perhaps something in your legit ini files resemble a known trojan string. (it certainly isnt uncommon to have backdoors and nasties in scripts ppl download) Maybe include yours in a report to Trendmicro to give them something to go on? NOTE: be sure to remove any passwords you may have in your ini files before sending them off!

i'm not aware of anyone recieving emails from Trendmicro other than the one saying their virus doctors were looking into it. All any of us can do is check for what they say are dropped by these trojans and contact them if none of them are found. They need to know lots of ppl are having the problem and it isnt an isolated event. I know i'm not giving you any answers, but i cant, only Trendmicro can explain whats going on. If they are false positives, hopefully Trend will patch for them soon and stop giving us all gray hair.

Hi i'm new to this forum so bare with me i just got through reading this thread i was having a prob wih my computer just started 2 days ago something was eating my memory running in the background i also have run every scan and found nothing then i ran trend and it found this malware.BCKDR_IRCFLOOD.X \and cleaned it
the thing that concerns me is i havent used mirc in over 6months so i dont know how i got this

it can come from a www page, a mail sent to you.. so dont have to be from mirc.. can even be included in som programs you have been installing lately..

thanks sparta now u mention that i was in a site the other nite and a box popped up said it was downloading something grrrrrrrrrrrrrrrrrrrrrrrrr ao if trend said it deleted it does that mean i have got rid of it

i supose so, if you didnt scan your computer online, then do so here ..

i did scan with trnd thats who picked it up in the first place but being a paranoid owner of a sick puter im scanning again thanks again for ur advice

-General Reply-

In an attempt to stop people asking if they're infected or not, please read this before posting anymore! - This is just a summary of everything I can think of, gathered from other people's good advice throughout this thread and some areas off this thread.

Question: What's this all about?

People are finding that, when using Trendmicro's Housecall virus scan they are experiencing a virus detection of malware.Bkdr_Ircflood.X. CtrlAltDel posted a link to more technical information about this infection.

ParaBrat has pointed out before, there are two main issues with this situation:

1) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X. If this is the case, clean your system exactly as is told to you by Trendmicro.

2) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X and you have followed all of the instructions and you can't find any of the problems that it says you should have OR you scanned before, and cleaned everything, and it still detects you as infected.

I suggest you use the resources in this thread and choose an antivirus or trojan scanner other than Trendmicro. I would personally recommend AVG, The Cleaner AND Ad-Aware.
If ALL 3 of these programs say you are not infected with any backdoors (or at least not with malware.Bkdr_Ircflood.X) then I would say you are not infected and Trendmicro is wrongly detecting you as being infected. If they DO detect that you are infected then you may not have followed the instructions properly or Trendmicro may not have detected all strains (versions) of the virus on your computer - so use those programs to remove the program, reboot, and once again scan with those 3 programs to ensure non-infection.

If you are finding that Trendmicro is detecting this virus and NO other virus scanners are, then it is fairly safe to assume you are not infected.
Please remember, we cannot tell you if you're infected or not, you must scan for yourself! We cannot tell if Trendmicro is or is not properly detecting the virus.

Question: How did I get infected?

This obviously only applies if there was actually an infection detected. Sparta made some good suggestions as to how people can get infected:

- You could have got this through an email attachment. It's a good idea never to open email attachments without scanning them with a virus scanner first, even if an email is from one of your friends (I have seen a lot of people say their "friends" have planted trojans on their computers for a bit of fun. It may be fun for them, but if they shut down your computer every 5 minutes, or accidentally delete an important system file because they don't know what they are doing, it might not be so fun for you!)
- You may have visited a website which has exploited you and planted this virus on your computer. It's best not to go to websites when you're not 100% certain of what's on them. You could visit a website and it automatically starts to download something - NO legitimate website on the entire Internet will do this, if you can, stop the download immediately.
- You may have installed a program recently that contains it. For your own security you should not install programs unless you know they are perfectly safe - this may include checking up on their security certificates and the company who has signed the download.

The above 3 ways could have happened even if you have not used IRC for a number of days, weeks, months of even years, and you are just coming back to using IRC. However, there are general computer safety guidelines you should follow, and also very IRC-specific guidelines you should follow to ensure you remain safe from viruses and you keep your private information private. Those may include:

- NEVER accepting files from people on IRC. Only accept files from trusted friends, 'trusted' meaning you've known them for months if not years, not because they've been nice to you for a few hours.

- NEVER typing suspicious things that people tell you to type, especially if they contain //write $decode or any other long form of what appears to be a jumble of letters and numbers.

- ALWAYS having an antivirus installed on your computer. If they have auto-protect features then have it enabled.

- ALWAYS having the latest updates from www.windowsupdate.com.

- ALWAYS having the latest version of your software. mIRC is an important one to have updated to avoid any exploits that may be found. You can always get the most up to date version at www.mirc.com/get.html.

The above should help you protect yourself from further infection. This does not mean it's impossible for you to be infected, so don't disregard any warnings that Antivirus programs give you, but it gives you a good chance at not getting infected

Question: So what's being done about this?

Trendmicro emailed ytytyt and told him that their 'virus doctors' are looking into the situation. They also said to add mIRC.exe, for now, into your Exception List so that Trendmicro does not detect a virus in it. See this page for details.
Until there is another reply from Trendmicro nobody can give a definite answer as to whether or not this is a 100% certain "false positive" in Trendmicro. There is also very little we can do, as IRC users, other than wait.

Question: Shall I stop using Trendmicro? Delete it?

No - Let's not forget Trendmicro is still a good virus scanner and highly recommended by many websites, virus help channels and many IRC helpers. There does seem to be a slight glitch in how it scans mIRC, but other than that, it's good at picking up viruses and is a good addition to your computer!
That said, do remember as always, no ONE virus scanner can detect, protect and remove every virus threat - new viruses are released into the wild everyday, there are hundreds of different types of viruses, trojans, backdoors etc. You need at least 2-3 virus/trojan scanners on your computer for effective protection.

Conclusion:

1) Scan your computer with Trendmicro.
2) If malware.Bkdr_Ircflood.X is detected, clean it.
3) After a reboot and following instructions carefully, scan again.
4) If Trendmicro continues to detect 'malware.Bkdr_Ircflood.X' use 2-3 other programs to scan your computer
5) If they find nothing, you're probably not infected!
6) If they do find something, clean your machine with those programs, reboot and rescan with those programs.

After that, you should be clean (once and for all!)

I hope this helps those people who browse this thread and prevents them from needing further help until Trendmicro gets back to someone about this issue =) - I by no means want to discourage people from posting if they have an issue, please do if you have more questions, but I think this post and the other posts throughout this thread answer a lot of questions that have been repeated and repeated!

Stay safe!

Regards,

i use Norton AntiVirus 2004. after i got that "virus" i noticed my Norton was disabled and the AutoUpdate was turned off. i used TrendMicro's free online scan to see what was the problem. I couldn't run nearly any .exe. I checked the registry to see if there was anything wrong. It looked fine. Then i went to Norton's website, and it found something wrong with the registry (the exact thing i checked. as if it were hidden or something). It cleaned it all up. Then I tried installing mirc again and running it. It came back. I recently did a scan again. Found a WORM in my computer. My antivirus would have caught it, but for some reason it didn't. I think that the IRCFLOOD thing allowed it to come into my system, if not installing it, itself. My system hasn't fully restored itself, yet. Everytime i would close something i use daily, an error would pop up.

And even now, i ran an old version of mirc from a CD, and the virus became active again. Is there a way to fully remove it?

I think that the mirc versions that have it, should be removed from the website. It seems to open up a port, that may be how i got the worm. Also, could you guys put an older version that doesn't have it, on the website please? I think you guys don't support the older versions right? Just put the disclaimer saying that you don't support it, and not to email you. It would be greatly appreciated. I have to run Trillian's IRC now, and i hate it.

Also: ever since that happened, i can't recieve downloads from anyone. I don't understand why, at all. Please, any suggestions and help would be greately appreciated.

"My antivirus would have caught it, but for some reason it didn't."

Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it to do so - that is why on this board we are constantly suggesting that people use more than one antivirus, to try and scan your computer from more than one angle. No one virus scanner can detect anything.

The mIRC download mirrors on www.mirc.com/get.html are perfectly safe - there are NO worms, backdoors, viruses, trojans or anything else malicious on those download mirrors or in the installer package that comes with it. Refer to the "How did I get infected" question in my last post (did you read that by the way? ) You will also find a version 5.91 (the last 16-bit version of mIRC) on that download site. You can download old mIRCs from many websites, simply search Google, although I would strongly advise against it.

As I also said in my last post, *WE* cannot tell you if you have a virus or not - we have no access, remote or otherwise, to your computer (nor do we want that) and many of us are not virus professionals or anything. You need to scan your computer with several virus AND trojan scanners, and preferably spyware scanners to try and clean yourself.

If you're having problems with DCC receiving then make sure it's definitely *your* problem, usually it's the senders end. Try receiving files from 4-5 different people. If doesn't work with any of them, try reading http://www.mirc.co.uk/help/getproblems.html or run a search on the forums for "DCC" or "DCC Get" and expand to 'All Forums' and 'All Posts' for best results. This is probably not related to any infections you have, although a possibility.

Regards,

Sadly, most of the time this could be avoided if those who are using NT-based versions of Windows didn't infact operate their computers as a user with full Administrator privilages.

If you operate your computer as a restricted user, download an infected file, and then execute the virus, it will be run with your permissions. So it will NOT be able to deactivate your AV software, it will NOT be able to write to the filesystem (except perhaps the C: root and any directories you have write access) and it will NOT be able to deliver a destructive payload. The only viruses that COULD would be the ones that are gained thru a system insecurity, a la MSBlast.

People need to sandbox themselves before any AV software and firewalls can be optimally effective.

Hi everyone, I for one am POSITIVE that I am infact infected with this virus. I opened a malicious link (the link was to something.txt but the .txt was just the name of the directory the exploit was in) that an infected user had sent me. After being infected and many obsenties later, I discovered how it had gotten to my computer without me accepting any files.

The link uses a VBScript exploit in IE which drops a .exe which has several files packed in it. The files inside are "Load.dll", "fix.bat", "mirc.exe", and "shutdown.exe". Load.dll I assume contains API's for mirc.exe. Shutdown.exe is an auto-extractor which inside contains a shortcut to "%windir%\system32\shutdown.exe -s -t 00 -f" This simply shuts down the users computer instantly (-t 00) and forces the shutdown (-f). As of know, I have no idea whatsoever what mirc.exe does (usefull huh?), I assume this carries the payload and is what changes the registry entries noted in the trendmicro virus information. It is NOT a modified mirc client as I have ran it myself and nothing seems to run and I have monitored any open ports for a silent mirc client. fix.bat simply deletes the aforementioned files including itself and only contains
"del c:\load.dll
del c:\shutdown.exe
del c:\mirc.exe
copy c:\windows\notepad.exe c:\windows\system32\
del c:\fix.bat"

Why it copies notepad to system32, I have no clue.

ONLY after being infected with this virus, I have recieved the decetion of Ircflood.X by housecall.

Hmm. I have notepad in both system32 and winnt directories and I am not infected (win2k). Odd.

It is in XP too.

Hi there asa

A couple of posts ago I did state:

- A link to more technical information that Trendmicro had released.
- We can do nothing about whether you're infected or not, nor explain why the virus does what it does
- That Trendmicro does correctly detect the infection, but does also detect it incorrectly on clean machines.
- That Trendmicro's 'virus doctors' are looking into the matter.

Excuse any arrogance, but I don't see the need for constant posting of people informing us that their infected or not, and re-answering questions that have already been answered several times!

Also, it's best not to post the same post in two threads which relate to the same thing

Stay safe

Regards,

Alright. I just finished pretty much EVERY post here and on that other website thread.

Let start by saying that this is 90% NOT a FALSE POSITIVE.
It's a mIRC backdoor/worm that's extremely dificult, if not impossible, to get rid of.

Like everyone else, housecall will find on my computer 'malware.BKDR_IRCFLOOD.X' trojan and simply report its successful identification and removal.

About a week ago I got a PM from a friend on a channel where I idle all the time.
It had couple of lines like "sap" and "hi" then followed by a link to a flash animation poking fun at microsoft windows.
Other people reported a link to a .jpg file or even a .txt file.
I did a Norton AV scan immediately after since my buddy told me that it wasn't him pm-ing me, but he's infected with a trojan. Norton didn't find anything, and it's been almost a week since then my mirc was working just fine.

Yesterday I joined my usual list of channels and within 2 minutes started receiving conspicious messages from people all over whom I don't know.
Their replies were consistent with what the worm pm's other users, especially when some of them commented on the flash animation 'microsoft OS sux' and so on.
Of course, I would get kicked/banned from channels and servers.

I knew immediately my computer was infected for sure.
I scanned many times with housecall and other utilities. Only housecall finds it, supposedly 'removes' it, but it's back there next time I start mirc.

My conclusion is that trendmicro/housecall is not mistaken, but it simply doesn't know (yet) how to propperly remove this serious threat. And all of you who think you are safe just because your mirc seems to be working fine think twice.
I would say that the clever design of the worm allows it to 'sleep' for a few days and then start causing troubles.

I'm not going to take chances with this worm, since as reported by trendmicro, it not only affects mirc behaviour, but it can also record my activity online, steal passwords and use my computer for DDOS attacks.

For now I'm booting into my linux install until I get time to do this and also install a hardware router/firewall.

I'll try one other thing mentioned on boards and let you know final result, although I'll still format, it's just too risky.

Good Luck.

Trendmicro finds nothing on my computer, which is why i guessed it might not be a false positive.
why would it report detection on some computers if it's a false positive, i would say that it would detect it on all if it was.

Whenever I connect to MIRC, I find this virus as well when I run the online scanner. However, I also get about 50 connection attempts from 69.50.181.165 hitting different ports, wanna.see.a.massdeop.us, MAIL.ATRIVO.COM . If you open tha secondt website address, there's a bunch of pictures and a video of some sort of party... I don't know if the two are related, however for me they did appear around the same time.

i am also having this problem, been looking for a couple days now and there are still no answers but i have sound some links on the mirc website that could help.

https://forums.mirc.com/showflat.php?Cat=...amp;amp;fpart=1

this page has several links that seem like they could be pretty helpful. i would try them but im on a public computer right now, so someone tell me if anything worked or not...

IS TRENDMICRO EVEN TRYING TO FIGURE THIS OUT?!

Please read this post, it says just about everything that can be said at least from what I have seen.

There is however, no point in using caps (which is considered "shouting" on the Internet in general, including the IRC community) - Shouting at us is rude and uncalled for, no matter how frustrating something is - Especially when the answer lies in this very thread.

It was reported that Trendmicro's 'virus doctors' are looking into the matter - they may or may not have found an answer yet, these things can take time. There is little *WE* can do about the issue.

Happy chattin'.

Regards,

Like other people i get this error. For instance, When mirc is not open it will detect and clean the virus (whilst "scanning system files"). Then with any further virus scans the virus will not be found. However if I open mIRC and then close it again, And then re-scan it finds the same virus, Very odd, I can't think what mIRC could be adding to my "system files" even if it is a false pos. ?

After the virus is cleaned it isn't detect again until mIRC has been re-opened. So if mIRC is still open after a clean, the virus is not detected by further scans. So It seems mIRC creates some kind of file when it opens which housecall doesn't like.

I also tried this on a copy of 6.03 which i have stored in a different folder (which excludes the possibility of that 1 copy of mIRC being genuinly infected on my system?), Same results.

Note: When I say virus scan I am ofcourse talking about TM's Housecall.

I too am one of those people unable to find IEEXEC.EXE and everything else Trend Micro lists to remove from the registry, etc., etc., but enough about that.

Maybe this was a coincidence (I'm not sure if wabbyyy was referring to the same thing) but prior to the first scan I ran, I had rebooted after installing the monthly Windows updates and my computer was painfully slow - it took about 30 minutes to get to my desktop. In task manager, my cpu load was at 98-100% before I had even run any programs. 24 hours later or so, it started running normally just like that. Anyone else have this problem? I found one other incident like this on Google but I'm not sure if it's related to BKDR_IRCFLOOD.X or just a mere coincidence.

I have the same problem like others that run mIRC. The "malware.BKDR_IRCFLOOD.X" is detected only with Trendmicro's software. Neither Norton, McAfee nor BitDefender found any traces of it. My mIRC client is currently version 6.14.

I have a question in regards to the "IEExec.exe" file. Is this file associated with Microsoft's .NET Framework?. These entries below are found along with the path pointing to the ieexec.exe file. These entries were found on two machines I have mIRC installed on. Seems like it does not like to be deleted. The file is copied back over as soon as it is deleted. Is it a windows protected system file? I assume booting into the recovery console to delete the file would work? Can someone confirm that "IEExec.exe" is a legitimate Microsoft .NET Framework file or not.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExec.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ieexec.exe.config.orig
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll

Well, I read through all the posts in this topic, and I decided to check something. Now, I'd first noticed this on my own computer sometime after I came back from spring break last month, and only Housecall was detecting (neither NAV nor BitDefender registered anything). Very confusing, since I tend to be fairly paranoid about what I do with my computer, and I'd never had it before. Thing was, I couldn't remember whether this was pre- or post-upgrade to 6.14. So, I just tested this on my office computer, which I know was clean before I tried. I had mIRC v6.12 on my office computer, checked it with Housecall, nothing. I then upgraded it to v6.14, checked it with Housecall again, I got a hit. To me, this suggests that there's some change in these two versions that is being mistakenly identified as malware by Housecall. Anyone else clean with 6.12 want to try this to see if this also occurs? I can't imagine that there would have been a drastic code change that would have created this, but I'm not that savvy when it comes to code.

Please don't delete any files or registry entries.

This is simply a bug in housecall.

If none of the other antivirus programs detects it, then you are not infected.

Housecall pops up the same message to me. But it does that way before it started scanning. And at the and of the scan it doesn't detect any infected files. Normally, it displays a list of infected files and suggestion on how to deal with them.

norton found nothing and housecall did and for me its not just a bug.
I got a pm from a mate who had the ircflood and I clicked.
The same week I to started to pm people on my irc channels.
I searched al the google pages on malware.Bkdr_Ircflood.X and
Did not found the solution that fixt the problem.
I to have the IEExec.exe the config and the dll file thay always come back.
I hope virus directors are working on the ircflood and find a solution, now I cant use irc no more.

Why not use another IRC client in the mean time?

hi guys,

i´m new to this forum, i came here with the hope to find any solution for the BKDR_IRCFLOOD.X i caught up myself. Now i see u guys have either no solution. to me it happens the same way like to many of other guys in here as well. housecall found the trojan, i dont have IEEXEC.EXE nor any registry entries of it on my system. so the housecall "get rid" suggestions wont work for me. thats why i did some investigations on it

let me explain what i discovered so far. all started when i got pmed by a mate from a chan with a link inside what i clicked... dumbass me a couple of days later i wondered why i got scanned many times a day for Sokets de Trois v1, more then 20 times a day. my Norton Personal Firewall blocked them away, hopefully... by chance i found that housecall virus scan thingy and for pure curiosity i ran that scan and... BINGO, infected.
as i said above housecalls suggestions dont work for me so i started to investigate. i read several boards and such and found on that way this one here.
at first i noticed the Notepad.exe in my system32 folder which i dumped. after that i ran a registry cleaner which found 46!!! links related to notepad.exe in the system32 folder. i removed all of them and the system runs still solid. now i havent been scanned for Sokets de Trois v1 anymore. then i got HijackThis for informations on what is going on on my system. it detects anything what has been executed on the system. there were no suspects. probably u guys may be helped by it.
then i got Process Explorer which gives u infos on what is loaded. unfortunatly it wasnt any help for me but probably for u guys.

because i´m either not that trojan hunter crack, this is my first one, i thought why not to compare the HijackThis scans and probably we together are able to find that shitty thing.

this is my scan after starting mirc without doing the housecall clean up

Logfile of HijackThis v1.97.7
Scan saved at 19:26:41, on 20.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
C:\Programme\Trend Micro\Internet Security\tmproxy.exe
C:\Programme\Norton Personal Firewall\NISSERV.EXE
C:\Programme\DU Meter\DUMeter.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Norton Personal Firewall\IAMAPP.EXE
C:\Programme\Trend Micro\Internet Security\pccguide.exe
C:\Programme\Trend Micro\Internet Security\PCClient.exe
C:\Programme\Trend Micro\Internet Security\TMOAgent.exe
C:\Programme\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\WebWasher\wwasher.exe
C:\Programme\TuneUp Utilities\MemOptimizer.exe
C:\Programme\STK007\STK007M.exe
C:\Programme\ISDN Monitor\ISDNMO32.EXE
C:\Programme\Topdesk\TDeskDEU.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\mIRC\mirc.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freenet.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iamapp] C:\Programme\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WebWasher] C:\Programme\WebWasher\wwasher.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] C:\Programme\TuneUp Utilities\MemOptimizer.exe autostart
O4 - Startup: ISDN Monitor 32.lnk = C:\Programme\ISDN Monitor\ISDNMO32.EXE
O4 - Startup: TDeskDEU.lnk = C:\Programme\Topdesk\TDeskDEU.exe
O4 - Startup: Windows-Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: STK007 PNP Monitor.lnk = ?
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.6180902778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/de/techsupp/activedata/ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F49DA492-7B88-463F-B389-CA9A02F6DA76} - http://www.seagate.com/support/disc/asp/tools/de/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EB636CB-9E81-4A9E-8E36-3769378FD4E5}: NameServer = 213.148.129.10 213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{261BF471-5B25-4DE2-90B9-562280EE3F6B}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DB604B-581A-43A1-B664-34252880D5D4}: NameServer = 192.168.1.1


Togi

Ok, I dont know how much of this will apply, but according to microsoft, THIS LINK says Win2k does this on install (2 copies of notepad.exe). Im not saying anybody is or is not affected by the all the viruses, just shedding more light on to the situation is all.

FYI, just replied to the LAST post so this is a general FYI

this is not just a bug in housecall, i am a paying customer of pccillin internet security as well as mcafee and pccillin continues to find this problem. it also continues to "clean" it and it is becoming very aggravating

i have emailed trendmicro about this and hopefully they will get back to me soon

I should imagine the general scanning process in Housecall and PCCillin are the same as they are both produced by Trendmicro.

Trendmicro have already been contacted, and as has been said before, they have said their 'virus doctors' are looking into it - if they haven't cured it by now, they probably won't do, but these things do take time.

-Generally speaking-

Sorry, but I have to wonder why people keep posting - everything that can be said has been said, and if people would just take a little time to browse this entire thread, every question possible related to this topic is answered. Grateful as I/we are for contributing technical details of the scan, to be blunt, it is of little use to us. Send it off to Trendmicro and let them analyse it. We cannot speak on behalf of Trendmicro. They must be contacted themselves, and we cannot come up with a cure for it!

Regards,

i ran the trendmicro scanner and it said it found and cleaned it. It didn't do anything else. however whenever i try to open mirc i fail and when i run trendmicro again it finds the same virus.

Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread.

If your question was about why you "try to open mirc i fail", we need a bit more info. Do you mean you cant bring mIRC up when you click on the shortcut, or cant connect to a server or what? If you can tell us exactly what happens and any error msgs, we might be able to help.

Ok here's what i get. I open up mirc. I don't connect to any servers. I run trendmicro and i get a msg saying it found and cleaned malware.bkdr_ircflood.x. Now i close mirc and i run trendmicro again and it doesn't find anything. Then i open mirc again and i don't connect to any servers. I run trendmicro and i get the msg that it found and cleaned malware.bkdr_ircflood.x. So everytime i open up mirc the virus comes back

In that case, read what ParaBrat said

"Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread."

Now, read my post a few of posts up from this one under the General part of it...we really can't say much more. There is not much use telling us Trendmicro has found the virus we can't do anything about it, and we already know there is an issue (as there over 70 replies in this thread).

Also, and I don't want to sound arrogant/big-headed, but I did attempt to ask 90% of questions possible by gathering information from the other posts in this thread - see this post earlier on. Since then, I have only seen 2-3 reasonable replies.

To be honest, it seems people are posting now just because it's a big thread, for no particular reason, and making no effort to get past the first few posts.

Regards,

your being unable to connect to a server may not have anything to do with this issue with trend. what msg are you getting when you try to connect? unable to connect? gline/kline? Are you sure that server is linked and working? (check on the networks website for a list of servers to try)

in your main mIRC window, type: (dont forget the /)
/server b0rk.uk.quakenet.org

if it doesnt connect, then try:
/server 213.221.165.248

if you cant connect, tell us the exact msg you see please

i can connect to every server except for gamesurge. I was initally g-lined for having the virus. Since then it's been removed. Now here's what i'm doing. I open mirc. i try to connect to gamesurge and this is what i get:

* Connecting to irc.gamesurge.net (6667)
-
-irc.gamesurge.net- *** Looking up your hostname
-
-irc.gamesurge.net- *** Checking Ident
-
-irc.gamesurge.net- *** Couldn't look up your hostname
-
-irc.gamesurge.net- *** No ident response
-
Ping? Pong!
-
bots/clones #rofl.gov.
-
Closing Link: rtuyu by Geneva.CH.EU.GameSurge.net (G-lined)
-
* Disconnected

I've checked the gamesurge website and I currently have no g-line. I've also tried all of there servers and i get the same msg. I've posted on gamesurge's message boards and the admins say they removed my gline. But yet it still says i'm glined.

Any ideas?

That's down to GameSurge's administration I'm afraid - they must have missed the g-line, or they have checked an incorrect IP address. If you browse the web through a proxy that would produce an incorrect IP/hostname. There's nothing we can do I'm afraid, you'll have to walk through the process with them.

The reason you get it on all servers is because a g-line is a global ban - set on all servers.

Best of luck

Regards,

"By opening that link (clanbase hacked, blablabla..), your browser gets redirected to sh0ut3tb34ts,tk. This URL points your browser to a page containing some malicious code. Using the security holes of some browsers, the worm will then download another file. After being executed automatically, this file will install a hidden mIRC-client on your PC. This client automatically connects to a certain IRC server and joins a certain channel. By typing some commands in this channel, that guy could get full control over your PC. For example, he could see any file on your computer. The script even contains a special command which reads your CD-Keys for Half-Life, Battlefield 1942 + Vietnam, UT 2004 and Quake 3 from your registry and sends them directly to him."

Thats what i'v heard about this virus, anyone knows if its true? I have also been infected and cant remove it. Everytime i start nnscript (mIRC) it somehow comes back.

Tried to delete the extra notepad.exe and all that.. makes no diffrence though.

The shoutedbeats-tk trojan is only one of the many versions of mIRC-based trojans going around at the moment.

If you've been infected with that specific trojan, you could try this remover program (warning: use at your own risk!). However, please note that if you have been infected, the attacker has had full control over your system, so this remover tool is only the first step - you should definitely use recently updated anti-virus software as well (and that's always a good idea anyway, you might already have other infections on your system).

I tried that Q-fix, it said im all clear.. still housecall finds that virus everytime i restart mIRC, Panda and Norton Antivirus 2004 cant find anything though.. dont know which one of them to trust

Please make sure you have read the previous posts in this thread...

i have.. not helping me much since noone really knows how to remove the virus, atleast not yet.. i'll just have to wait i guess.. or maybe its time for a format c:

has anyone else tried formatting or going back to system restore before the virus? I know a few ppl have and said that it didn't work

No it doesnt work... You'll notice that Housecall cleans the virus, Until you open mIRC again and it's reinstated.

Housecall detects it whilst scanning system files, Whatever mIRC is adding there I don't know, As Housecall doesn't inform you what or where the infected object is.

As I have said in previous posts as have others, this is an mIRC help board - we're not virus experts (specifically) and the people to handle it must be the people who are qualified to. We're simply volunteer helpers who know little more than you do - everything "we" do know is explained in this thread.

Information and manual removal information is posted around the Internet, look through this thread and you'll find a link that explains Trendmicro's method of removal - if you've followed those steps and don't find what it suggests or do actually follow the instructions and remove said files, then the chances are you're not infected anymore.

If your issue is not with malware.Bkdr_Ircflood.X then it does not relate to this thread. You will need to use 2-3 virus scanners, as you have done, and if one is finding an infection and 2 are not, use another 2 virus scanners. If neither of them find it either, the chances are you are not infected.

Fact is, we have no/little chance of being able to directly help you, we don't know your computer setup, or know about every single virus (there are hundreds/thousands). All we can do is to provide you with a link that explains the infection and how to remove it. You can find that yourself though using Google.

This thread isn't here to help with viruses in general, it was started to report a possible false positive in Trendmicro. Trendmicro have said their virus doctors are looking into it, we cannot say anymore because we don't actually know anymore!

Good luck

Regards,

I have the BKDR_IRCFLOOD.X malware on my computer too and am unable to connect to Dalnet .. I get akilled with the following message:
[1:38am] * Connecting to powertech.no.eu.dal.net (7000)
-
[1:38am] Local host: homebase (198.77.157.106)
-
[1:38am] ••• You are banned from connecting to this server ("You have been autokilled.")
-
[1:38am] -powertech.no.eu.dal.net- *** You are not welcome on this network.
-
[1:38am] -powertech.no.eu.dal.net- *** autokilled for [AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49)
-
[1:38am] -powertech.no.eu.dal.net- *** Your IP is 62.243.15.65
-
[1:38am] -powertech.no.eu.dal.net- *** For assistance, please email kline@dal.net and include everything shown here.
-
[1:38am] ••• Error: Closing Link: 0.0.0.0 ([AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49))
-
[1:38am] * Disconnected

I know that BKDR_IRCFLOOD.X is a dropper program that creates a folder (which I can' find) and creates an autorun registry entry that allows it to execute on every system startup.
It probably comes with mIRC 6.14 somehow and I have no idea how to get rid of it except go to housecall which finds that particualr file but not the rest of the files it drops. So every time I reboot, I have the same problem.

The files it drops are BKDR_IRCFLOOD.X .. BAT_IRCFLOOD.X and IRC_IRCFLOOD.X

It supposedly creates this folder (which I don't have)
C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\

When I do a search for BAT_IRCFLOOD.X the search comes up with 2 files .. lpt$vpn.867 and vptnfile.867 both are in C:\WINNT

I run Windows 2000 server and have no idea what to do.

"C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\" I think should be "C:\%Windows%\Microsoft.NET\Framework\v1.0.3705\" - "Microsoft:NET" is invalid in a path. On a Win 2000 system, that will expand to C:\WinNT\Microsoft.NET\Framework\v1.0.3705\ (Assuming windows is installed on C drive and uses the default 'winnt' directory)

lpt$vpn.867: According to http://security.uwo.ca/antivirus/patches.html this is a pattern file for detection|removal of WORM_MSBLAST.A & VARIANTS

The url "http://kline.dal.net/exploits/akills.htm#os" Does not mention any particular trojan. There are many many such worms out there.

I suggest you download a couple of the trojan removers listed in this post, update them and scan. The shareware versions will mostly give you thirty days of full usage to try them out.

i may have found a solution for some of us:

my circumstances were the so called "sleeper" trojan and i emailed trend micro about it and this is what i was told to do and i have not had any problems since:

1. Create a temporary folder in a location that you're familiar with (ie: Desktop, C:\, My Documents etc.). To create a folder, right click on your target location and select New > Folder. Rename the folder as 'system cleaner'.

2. Download sysclean.com here: http://www.trendmicro.com/ftp/products/tsc/sysclean.com
** Make sure to save sysclean.com to the 'system cleaner' folder created earlier, otherwise the scanning will not work.

3.You'll also need to download the latest pattern file. Sysclean.com will use the algorithms in this file to detect and clean viruses. Please download the latest virus pattern here: http://www.trendmicro.com/download/pattern.asp
** Once again, make sure to save the LPTxxx.zip file to the 'system cleaner' folder created earlier.

4. Once the virus pattern file download has been completed, you'll need to extract its contents to the 'system cleaner' folder. You'll need WINZIP to extract the contents of the file. Please visit our knowledgebase for the instructions.

5. Check the 'system cleaner' folder for the following files: sysclean.com & lpt$vpn.xxx. Once the files are present, please restart your computer and access Windows SAFE MODE.
1. Restart your computer
2. After the memory test and BEFORE the Windows' loading screen appears press F8 repeatedly
3. If successfully performed, a menu will be displayed. Choose 'Start Windows in Safe Mode' or 'Safe Mode'

6. Once in Safe Mode, simply double left click on the sysclean.com. It should start the scanning process and wipe out/clean viruses detected.

worked for me... if it doesn't work for anyone else than idk. just try it

OK here is my problem with the whole situation, its been about 27 days since ytytyt first received an email respose from Trend. To not have any real answers on this subject almost a month later really iritates me (with Trend).
Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out. Maybe he already has and nothing relevant can be posted publicly yet.
For it to take this long seems to me that nothing is being done (by Trend) because they probably think its a false positive. Then again I may be quite wrong as I dont know any history with other viruses and how long new and/or possibly troublesome, difficult viruses take to be rssolved and fixes found for.
*wonders if ytytyt has yet received any response from Trend...*
Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?
Sorry but it really makes me MAD when someone/something prevents me from using mIRC to connect to IRC for almost 30 days!

(I have since formatted and am back on mIRC)

"Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out."

Whilst Khaled is a famous guy on IRC, in the grand scheme of things he's not an A-List superstar. Him emailing Trendmicro may hold a little more salt with them as they've no doubt heard of mIRC due to it's use in infecting other people, but they probably won't feel hastened to answer him anymore than you or me emailing them.
Plus, me, you, or anyone here doesn't know whether Khaled actually has contacted them about the issue or not. Who knows what Trendmicro are doing..

By the way, Khaled's life is made a little more hectic due to what I can only assume is the thousands of emails he receives per day, and that's with all the junk mail excluded - and real life too, plus Arnie takes a lot of his time up

"Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?"

This page has some good ideas on what to do and as you may have heard already (as it has been mentioned several times in this thread) - this post has many resources to get yourself uninfected.

Best of luck.

Regards,

I'm really sorry to be another person adding to this thread, but I am really at a loss as to what do do, and I have been experiencing things that, after reading through all 5 pages of posts, no one else seems to have touched upon.

- I run AVG antivirus on my computer, which scans daily for me, and is updated weekly. A few days ago I started getting this message in relation to my AVG program:



So, I would click OK, and my AVG would shut down. When I would restarted AVG I would
a) get that same message again, and it would immediately shut down - THEN
b) I would manually launch AVG, get that same message again, and it did not shut down AVG, but when AVG launched, it showed the "Control Center" as not beng active and functional. Attempting to activate it sometimes worked, and sometimes caused AVG to shut down again.

- In an attempt to find out what was wrong, i tried to go to AVG's website at www.grisoft.com but always got the "this page could not be found" message.

- I tried other common/major antivirus websites, but was unable to access those as well, although all other websites loaded fine.

- I thought my problem was with AVG, so I uninstalled it, had a friend download the install file for me (as I was unable to access the website) and send me the install file. After reinstalling AVG, I was still getting the same error message.

- I then called a tech friend of mine, who suggested this:
a) deactivate system restore
b) Use Trend Mirco's online scanner to check for viruses.

I discovered I was unable to access Trend Micro's Homepage, but was able to access House Scanner page.

- I ran a scan using TM's House scan, and as it was doing the initial system scan, got the following message:



So, I clicked okay, and it then scanned my computer and found the following file:

Virus: DOS AGOBOT.HM
Scan result: Non Cleanable
File: c:\windows\system32\drivers\etc\hosts

Since it was not cleanable, I deleted the file.

- I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected.

- After doing this, I found I was then able to access antivirus websites once again, Including te ones at Trend Micro and Grisoft that I had previously not been able to access.

- I thought I had solved my problem, so I reacvtivated system retore, and rebooted my computer.

- after my computer rebooted AVG tried to launch, and I got the same error message again. Was able to open it manually and then manually active the "Control Center"

- I then launched all the programs I typically run on my computer, including two instances of mIRC (one for me, one for my bot), and several instant messaging programs.

- I found I was once again NOT able to access anti virus website. I was not able to access Grisoft nor Trend Micro's homepage.

- I once again found my way to Trend Micro's house scanner, and used it to can my computer. I found:
a) on the initial system scan "malware.BKDR_IRCFLOOD.x" was there once again
b) it once again found "DOS AGOBOT.HM" in the same location as before.

- I then found my way here and read through all 5 pages of posts, and found that no one else seemed to have experienced the same things as I have.

I'm not a very technical person, and I don't understand things about "registry's" or "keys" and i can't really understand all the things you all have said to look for and try.

Has anyone else found these same problems? Does anyone have any suggestion that can be made simple for someone who is a technical dummy?

Thank you, and I appoligize once again for adding to this already long thread.

shy

At least I can help at least one person in this thread

the virus found in:
c:\windows\system32\drivers\etc\hosts
is most likely the reason why you cannot access those websites, the hosts file can be used to change where urls point to.
find:
c:\windows\system32\drivers\etc\hosts
and edit it to so only the following is in it:

127.0.0.1 localhost

the lines that start with an '#' are actually comments, so they are not important, you don't need to delete those lines.

Hope this helps a little bit

Edit: i'm guessing that AGOBOT (aka GAOBOT) will just change the hosts file back, but it's a temporary solution.

You should use a dedicated trojan cleaning program such as PestPatrol and/or TrojanRemover (or one of the others listed in this post) to get rid of Agobot.

FWIW, kbaumgar post (like 7 or 8 above this one in the thread) worked for me with the virus of the title of the thread. It ALSO worked for a friend of mine with other viruses she had so maybe give that a try (for those who have NOT yet done so AND are experiencing problems or getting trojan message alerts).