mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 6 1 2 3 4 5 6
#76390 24/03/04 06:23 PM
Joined: Mar 2004
Posts: 7
J
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
J
Joined: Mar 2004
Posts: 7
I recently scanned my system with TrendMicro's HouseCall, and it found malware.Bkdr_Ircflood.X running in memory (and cleaned it). It never found any files that were infected with the virus, just said it was running in memory. I decided to format (it was time to format anyway), and after installing Windows XP and mirc 6.14 (did the same with 6.12), HouseCall found it again.

I was wondering if this was a HouseCall bug or if anyone else had this problem?

#76391 24/03/04 06:25 PM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
Sounds like it could be a false positive where the scanner thinks it found something from code (in a file) that mimics a virus. Did it find it in a mirc file or a mirc script (or neither)?

EDIT - if you check the TROJAN INFO link, you can see a few other places to try and scan with for more of a well rounded idea/opinion


Those who fail history are doomed to repeat it
#76392 24/03/04 06:42 PM
Joined: Mar 2004
Posts: 7
J
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
J
Joined: Mar 2004
Posts: 7
Thanks for the reply! It didn't find either mIRC itself or an mIRC script (didn't have one installed at time of scan). When it was scanning memory and system files, it would find malware.bkdr_ircflood.x if mIRC was running. If mIRC wasn't running at the time, it wouldn't find it.

I'm also scanning using tools from the thread you link right now. Of the few that have completed, only HouseCall house found this virus. I'm beginning to think that it is indeed a false positive detected by HouseCall.

#76393 24/03/04 06:42 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Indeed, to follow on from above, it's always good practice to use more than one antivirus and/or trojan scanner. 'False positives' are common, and you can never be too safe.
The opposite can be true aswell whereby an antivirus will not detect a virus but another one will. If the AVs you have, have an "Auto Protect" feature then you should have it enabled too.

Stay safe smile

Regards,


Mentality/Chris
#76394 25/03/04 01:59 AM
Joined: Mar 2004
Posts: 1
C
Mostly harmless
Offline
Mostly harmless
C
Joined: Mar 2004
Posts: 1
Hello,

I'm having the exact same problem with the TrendMicro's HouseCall scanner. Everytime I open mIRC I get the BKDR_IRCFLOOD.X virus as the same problem you have. I did get rid of the ieexec.exe program, checked my registries to see if it's infected, but I found nothing. I too believe that the scanner is Fasle. If you happen to find a scanner that also picks BKDR.IRCFLOOD.X, please reply or e-mail me @ jamesbond236@hotmail.com with a apporiate title regarding the virus BKDR_IRCFLOOD.X which appears on the TrendMicro's HouseCall scanner.

Thanks,
- Jay

#76395 25/03/04 07:01 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
It's still a good virus scanner and is widely used even if it does turn up some wrong results - obviously it's just sensitive. If you simply scan with 2-3 of the virus scanners that appear in the Trojan resources thread you should know if you're clean or not.

Just an FYI, I wouldn't suggest posting your email on the public Forum, spam bots crawl the web and pick up those emails subsequently spamming them.

Stay safe smile

Regards,


Mentality/Chris
#76396 26/03/04 10:59 AM
Joined: Mar 2004
Posts: 1
R
rew Offline
Mostly harmless
Offline
Mostly harmless
R
Joined: Mar 2004
Posts: 1
I've come up with the same. Digging through some logs and stuff, here is what is setting it off:

Debug Information Level=0
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\DefaultIcon]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\command]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Application]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\ifexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Topic]
BackupRegKey[HKEY_CLASSES_ROOT\.cha]
BackupRegKey[HKEY_CLASSES_ROOT\.chat]

and

Damage Cleanup Engine (DCE) 3.5(Build 1119)
Windows XP(Build 2600: Service Pack 1)

Start time : Fri Mar 26 02:49:08 2004


Load Damage Cleanup Template (DCT) "H:\WINDOWS\tsc.ptn" (version 298) [success]
BKDR_IRCFLOOD.X[virus found]
-->delete registry data("HKEY_CLASSES_ROOT","ChatFile\DefaultIcon",""E:\mIRC\mirc.exe"") success
-->delete registry key("HKEY_CLASSES_ROOT","ChatFile","") success
-->delete registry key("HKEY_CLASSES_ROOT",".cha","") success
-->delete registry key("HKEY_CLASSES_ROOT",".chat","") success

Complete time : Fri Mar 26 02:49:14 2004

Execute pattern count(718), Virus found count(1), Virus clean count(1), Clean failed count(0)

#76397 29/03/04 04:33 AM
Joined: Mar 2004
Posts: 2
J
Bowl of petunias
Offline
Bowl of petunias
J
Joined: Mar 2004
Posts: 2
Yes, I also have received the BKDR_IRCFLOOD.x, and only Trend Micro seems to be finding this file, and each time it's Housecall removes it, and I reboot my computerand this file shows up again!

I have used NAV 2004 Pro, KAV, McAfee, AVG, Pest Patrol, Spybot Seach & Destroy, and Trojan Hunter, the GFI Online Trojan Scanner, and none of these showed BKDR_IRCFLOOD.x!

Is BKDR_IRCFLOOD.x actually a file, much less a form of malware? I have spent the better part of the past 5 hours scouring my two computers and notebook here at home.

Jammy




Skepticism Is A Virtue
#76398 29/03/04 04:38 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
I couldnt tell you as ths is not my area of expertise (aka how trojans work and what their filenames are called etc)


Those who fail history are doomed to repeat it
#76399 29/03/04 06:06 AM
Joined: Jun 2003
Posts: 994
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Jun 2003
Posts: 994


I refuse to engage in a battle of wits with an unarmed person. wink
#76400 29/03/04 06:46 AM
Joined: Sep 2003
Posts: 38
S
Ameglian cow
Offline
Ameglian cow
S
Joined: Sep 2003
Posts: 38
@rew:
Debug Information Level=0 etc.
So it's harmless?

Like almost everyone else I too have that backdoor on my system. Only trend micro seems to find it, but not on every system. Even at home, where I have 3 different computers, just 1 is "infected".
Though I think nothing is wrong, (using cmd and looking at netstat gives on open connection I didn't open myself), I do found something else. When connecting to irc.quakenet.org and joining #5on5 I got G-Lined. (Probably just an on join G-Line).
Still it's weird that everytime you start mirc again, you have been "infected" again.

#76401 29/03/04 08:29 AM
Joined: Mar 2004
Posts: 2
J
Bowl of petunias
Offline
Bowl of petunias
J
Joined: Mar 2004
Posts: 2

Thanks! But ya know that I have never had any of those entries in my registry!!! I get so tired of manually going to my registry only to not find anything.

Trend Micro may have found something but how come none of the other AV programs can find anything?

Another reason why I agree that this is just a false positve.

Jammy



Skepticism Is A Virtue
#76402 29/03/04 08:16 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
it's not at all uncommon for one AV to find something that another one doesnt. have you contacted trendmicro to ask them to investigate whether its a false positive? don't just assume it is. altho, if it was something within the basic mIRC (as downloaded from mirc.com) triggering it, then seems like everyone with mIRC who uses housecall would get the same results


ParaBrat @#mIRCAide DALnet
#76403 31/03/04 07:48 PM
Joined: Mar 2004
Posts: 1
K
Mostly harmless
Offline
Mostly harmless
K
Joined: Mar 2004
Posts: 1
I too have had this "virus". However, for me it only comes back after I restart mirc. If I start mirc, exit, clean it, restart mirc....its there again. Dont open mirc, it doesnt appear!

I have none of those registry entries mentioned, nor the .exe file. Fortunately, I found this thread before I tried a format. Think I might try emailing Trend Micro about this.

kilo

#76404 31/03/04 09:27 PM
Joined: Mar 2004
Posts: 1
M
Mostly harmless
Offline
Mostly harmless
M
Joined: Mar 2004
Posts: 1
Have'nt you guys experienced any effects from the malware ?

For me the malware deleted all my Internet explorer Favorites ( which was extremely frustrating) and changed my startingpage.

#76405 31/03/04 09:50 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
I think what most of these guys are saying is that Trendmicro is turning up a confirmed infection when actually, they are not infected - meaning they would not suffer.

Perhaps you really were infected and therefore, you did.

Hope you manage to get back on track though :-)

Regards,


Mentality/Chris
#76406 01/04/04 01:32 AM
Joined: Mar 2004
Posts: 1
C
CTR Offline
Mostly harmless
Offline
Mostly harmless
C
Joined: Mar 2004
Posts: 1
I have the same problem..can´t anyone help cleaning this virus?

#76407 01/04/04 05:06 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
CtrlAltDel provided a link to trendmicro that details how to clean that virus if you are in fact infected with it. Unless every file and all registry entries are removed, each time you open mIRC the trojan will restart.

Whether there is something triggering a false positive in puters that arent actually infected, i dont know


ParaBrat @#mIRCAide DALnet
#76408 01/04/04 09:37 AM
Joined: Apr 2004
Posts: 1
W
Mostly harmless
Offline
Mostly harmless
W
Joined: Apr 2004
Posts: 1
i have the same problem,

i find out that this worm is creating 3 files in folder %windows%\temp
files are: mirc.exe , lol.exe and lol.bat

if i open any txt file , my system is shuting down (load at 1st the lol.bat file, and then the mirc.exe and lol.exe)

- trendmicro is the only tool to find this worm (but he didnt say what file is infected, only "systemfiles")

if i reinstall windows , i solved this problem, or i get this worm again if i connect to IRC ?

sorry for my bad english
best regards
Whity

#76409 01/04/04 02:54 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
You have to delete Windows\System32\notepad.exe which is a self extracting file - virus. You can either:

1) replace this file with the standard Windows/notepad.exe

2) delete any reference to 'System32\notepad.exe' in your registry. When you do that, if you try and open a txt file, windows will ask you to select a program to open it with - just choose Windows\notepad.exe

#76410 01/04/04 02:55 PM
Joined: Oct 2003
Posts: 16
Pikka bird
Offline
Pikka bird
Joined: Oct 2003
Posts: 16
"Good day!
I apologize for the inconvenience we are causing you. Please place the mIRC executable in the exception list to avoid the false detection:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=17323
In the meantime, we will inform our virus doctors regarding this problem so that they can analyze it.
Thank you for using Trend Micro for your computer protection software. Please do not hesitate to let us know if you have further inquiries. Other means of reaching our office are indicated below.
Regards,
Trend Micro, Inc.
John Lolin
Consumer Support Team"

wel ... ok ? confused dslreports


"ytytyt = a lamers' version of asdf"
#76411 01/04/04 06:32 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
thanks for the info, just saw it today myself. hopefully someone will keep us updated with what TrendMicro's further analysis comes up with.

Word of caution: its always best to thoroughly check for the items that are listed as being part of this or any virus to be on the safe side. Dont just assume anything found is a false positive until you are sure.


ParaBrat @#mIRCAide DALnet
#76412 02/04/04 08:21 AM
Joined: Sep 2003
Posts: 1
R
Mostly harmless
Offline
Mostly harmless
R
Joined: Sep 2003
Posts: 1
the soloution was great but only intended for trend 2004...i have an updated trend 2002 and still i get a series of dos attacks whenever i log on to mirc so i have to reboot again. i tried looking for the exception folder myself and found it and included the mirc folder but still after a few minutes logging in it..same result..dos attacks..then reboot. thanks for the info and i apologized for asking...i must accept im a newbie to pc security. good day! smile

#76413 03/04/04 03:10 AM
Joined: Apr 2004
Posts: 3
T
Self-satisified door
Offline
Self-satisified door
T
Joined: Apr 2004
Posts: 3
If you are re-installing mIRC from an executable that you have stored on a CD somewhere, then maybe that executable is infected - probably downloaded from a site other than those specified at www.mirc.com.

If those 3 files keep reapperaing even after a re-install, then I'd redownload the mIRC installation program from a reputable source!

#76414 03/04/04 07:13 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
wow there is still no fix for this? confused

#76415 04/04/04 08:00 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
Yes there is. After just a quick look, I believe that this is a false positive. At least I hope.

The solution to this "virus" appears to be to install version 5.7.

Something in the registry I think that was added in version 5.8 and above, or something appears to trigger the Trend Micro alarm. I'm not sure what this could be, perhaps it is the registry keys indicated in the previous post.

#76416 05/04/04 03:59 AM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
I have this, too.

And I just got this yesterday night when I clicked on a link in a channel. It was from a person I know so, I didn't think it was fishy. Also, once you are infected w/ this, you advertise that link at certain intervals and only other ppl can see that link and not you, so you don't know about it.

I never had anything of this sort before so I _don't_ think this is a false positive.

I have also come to the following conclusion (like some before):

-it's a mirc backdoor.
-it doesn't self-re-install after booting your comp.
-it does that only after mirc.exe is executed.
-so far, only trend micro has picked this up.

*********************************

I went to this site for help, http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X (someone here posted it).

But, I am having some problems w/ their manual removal.

Quote:
Go to the directory where the file IEEXEC.EXE is located.
Open a command prompt in this location.
Type the following:
C:\ieexec.exe – uninstall
Press Enter to remove the application.


I can't find a file named "ieexec.exe."

Quote:
Open Registry Editor. Click Start>Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_CLASSES_ROOT>irc>Shell>open>command
In the right panel, locate the following entry:
(Default) = <current directory>\IEEXEC.EXE


Again, I didn't have ieexec.exe key in there. Although, my key had " -no connect" at the end. Does anyone know what that means? I removed. mIRC seems to be working fine so far.

Quote:
In the left panel, double-click the following: HKEY_CLASSES_ROOT>ChatFile>Shell>Open>Command


I don't have a key named "chatfile."

And similar problems w/ the rest of their solution.

I am actively seekying a resolution to this and will post when I find something new.

*sigh* frown

#76417 05/04/04 08:43 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
as i said in an earlier post, that trojan does exist in the wild, so its always possible some users are actually infected. Its only been happening recently with trendmicro's housecall that some ppl are being told they are infected with it but when they check, they dont have any of the files or registry changes noted as being dropped by that trojan. Trendmicro has said their virus doctors are investigating to see if there is something triggering a false postive. Until someone gets a response from them with the results of their analysis, we can only speculate.


ParaBrat @#mIRCAide DALnet
#76418 05/04/04 10:17 AM
Joined: Apr 2004
Posts: 1
O
Mostly harmless
Offline
Mostly harmless
O
Joined: Apr 2004
Posts: 1
Hi. I'm brand new to this board, but I've been on mIRC a good six years now. I know better than to accept files ppl send to me without my having asked for them. I know better than to click on url's posted by just anyone in a channel. I know better than to type whatever someone may say to type. I too am having the BKDR_IRCFLOOD.X problem with trend micro. This time though, I watched carefully (for once) and the message just said HouseCall had found a malware.BKDR_IRCFLOOD.X and had cleaned it. It didn't say where it was found or which file it was found in. So, I went back to mIRC, and connected to my favorite server, then disconnected, and sure enough, it happened again. So, again, I reconnected to mIRC and disconnected. Then I went through the regedit procedure, and lo and behold none of the items mentioned by Trend Micro (or HouseCall whichever they prefer to call themselves) were listed in the regedit area. Therefore, my conclusion is, yes it, in my case at least, is a false alarm. (I used to run Pc Cillen II years ago, back in the days when puters wore animal skins, and it gave a false positive on an animated card a friend of mine sent to about six of us. Everyone else was running Nortons or Macafees, but me, and their a/v proggies did not hit on that card as being a virus. It was the title that set it off for me (apparently PC Cillen was super sensitive back then?) I spent something like four hours online with a friend that night trying to figure out if I had been infected or not (I was a true newbie in those days). I have to wonder if all of us who are having this problem are using the same version of mIRC? I'm running 6.12. I d/l mine from the official website too. Perhaps we're the only ones affected and therefore it's some sort of a benign glitch in the mIRC program itself??? Any thoughts (afterall, I may have been around the block a few times on mIRC, but I'm no puter pro for sure). I've been hit with so many things, and luckily my e_trust program has pulled my fat out of the fire each time. Anyway, I've rambled on enough for the new kid on the block. And thanks to whoever it was that posted those links for other sites offering free online scans. I ran one of the spy bot checkers (whatever the tecchie term is), and I am free and clean of ickies like that too...thanks again!
ouizee grin

#76419 05/04/04 02:35 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
its only been happening recently, and reports from users say its happening on more than one version of mIRC. I use housecall regularly and checked for all the files and registry entries before using it this time. (last time i had no probs) None present. Had the same thing happen that you and others report using Housecall. Opened mIRC (didnt even bother to connect), checked again, ran the scan again. Same thing. While i am inclined to agree it is indeed a false positive for many ppl (especially since no one is more neurotic about avoiding potential for trojans than i am) until Trendmicro's virus docs figure out what's going on we're making educated guesses. Check it out, run a couple other things to be sure, and wait for them to let us know their findings. I'm sure if it is a false positive they will make the necessary tweaks.


ParaBrat @#mIRCAide DALnet
#76420 05/04/04 11:50 PM
Joined: Apr 2004
Posts: 1
7
Mostly harmless
Offline
Mostly harmless
7
Joined: Apr 2004
Posts: 1
I'm having the exact same problem as johnbull. I've run every free AV program I can get my hands on. I've also run Spybot and Ad-Aware, yet only trendmicro finds it, and my typical trendmicro run ends up with the same results as john's.

For the most part, I believe it is a false positive, yet for some reason I've been mysteriously k-lined from a server I very rarely join on plus the servers I idle on frequently, I tend to get nickserv killed and I get more software connection aborts. Before I noticed I had this malware.bkdr_ircflood.x on my computer, I hardly ever had any of these problems. Now they happen 1-2 times an hour.

I'm starting to get worried, because I have no clue where this trojan is at, if I do, in fact, have one. I hope someone finds an answer quick. frown

#76421 06/04/04 02:45 AM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
I wouldn't mind at all if this was a false positive but, the thing is "Why now?"

I've been scanning my comp w/ trend micro for a long time and did couple of days before mirco caught it.

And another thing, right now, there are so many of these links running around rampant on mirc. I've never seen so many infected ppl (ppl advertising, which they can't see).

Now, if I am not infected w/ anything then why was I advertising the infection borne link?

My guess is that this is opening a port (obviously). It's only a matter of time when he installs a trojan through that port. So, what I do is this; scan after I connect to mirc (don't have to scan the whole hd just till MT removes this thing.)

#76422 06/04/04 05:22 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
AV constantly add things, i didnt have any problem a couple days before either. Its always possible someone is actually infected, but when none of the files or registry changes are present, ppl cant help but wonder if its a false positive. they do happen


ParaBrat @#mIRCAide DALnet
#76423 06/04/04 06:57 AM
Joined: Apr 2004
Posts: 2
P
Bowl of petunias
Offline
Bowl of petunias
P
Joined: Apr 2004
Posts: 2
Let me begin by saying I've read every post here and still am not sure what to believe

One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert

the virus is worm_thrax.a

http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X.


I'd really like any information about this.

Thank you for reading.

#76424 06/04/04 03:50 PM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
Read this thread, http://www.esreality.com/?a=post&id=647799 , too.

Some of these guys ARE infected with a " wsz32.exe."

Again, I found nothing of the sort.

#76425 06/04/04 05:16 PM
Joined: Apr 2004
Posts: 1
V
Mostly harmless
Offline
Mostly harmless
V
Joined: Apr 2004
Posts: 1
simular but would like to add:
using xp pro

when i found that there was no 'chatfile' key in my registry, i did a system restore to a point before i had the virus and the chatfile key was there. kinda made me doubt that this is a false positive.... I then un-did the system restore and did the following.

a registry search [start-run-regedit-click edit-find-then type in the file name] for the IEEXEC.EXE file and found it along with BKDR_IRCFLOOD* and malware.BKDR_IRCFLOOD.* Next i removed those 'entrys' from my registry, just deleted the info and left the field blank.

Today i did the same registry search and the IEEXEC.EXE file is back but the other two files were not present.

During all of this i countiued to scan using trendmicro and the 'malware cleaned' pop up would occure every time even though i had removed the files from my registry.

if this is a false positive, it sure is an active one!!!


#76426 06/04/04 11:39 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
I really do think this is a false positive for some. For those like me, (where during the "system file" search, which is prior to searching any files, it says "found and cleaned malware.Bkdr_Ircflood.X", but does not list any files, and then the check runs through all files on the hard drive and finds nothing. I checked on the page given earlier "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X" which lists details about the virus. Under my registry entry, the default points to mirc.exe like it should, and not ieexec.exe like the page says it does. Also, I think I know why everytime you restart mIRC it will re-find the virus and clean it again. On that same page it talks about many registry locations of "chatfile...". Well apparently, when you start up mIRC, all these entries are created. I checked them, and they all pointed to mirc.exe and not ieexec.exe, however, I believe that the trendmicro scanner is seeing these entries and assuming that it is the virus, and deletes those entries. Because after I run the virus scan and it says it cleaned it, I can no longer find any entries of "chatfile...". However, again if I close mIRC and restart it, those entries are back. I think this is where the false positives are coming from. Just a guess. Anyone care to comment on this? Please let me know, if you are like me, and have to same thing, with those reg entries reapearing everytime you start mIRC, but with them pointing to your mirc.exe and not an ieexec.exe. Thanks.

PS. This is not directed to any one person. Just to those that are having a similar situation where NO FILES are listed as infected, just during the "system file" scan at the beginning.

One final thing, just so someone can verify this for me. I have mIRC version 6.14 downloaded from mirc.com and installed. My mirc.exe has a MD5 Sum of: 31F010FCF0B67737B04F3B8F2C2639F5
If someone else who does NOT have this problem can check theirs and see if it matches mine, that would be great. Thanks.

#76427 07/04/04 01:03 AM
Joined: Apr 2004
Posts: 1
T
Mostly harmless
Offline
Mostly harmless
T
Joined: Apr 2004
Posts: 1
This is starting to really annoy me.. I've done everything I can to get rid of this. I've found nothing that housecall says I should find. No virus's trojans worms, nothing. Yet I still get this msg when I scan.. So is this something we can ignore?

#76428 07/04/04 01:04 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
Id say (after all this time) if trend still finds issue BUT when you follow their advice you see none of the harmful things (files/entries) that you should keep it in mind, but not worry about it as much as it (to me) SOUNDS like a false positive. I figure they'll figure this out soon and then we can be done with this once and for all lol


Those who fail history are doomed to repeat it
#76429 07/04/04 07:33 AM
Joined: Apr 2004
Posts: 1
B
Mostly harmless
Offline
Mostly harmless
B
Joined: Apr 2004
Posts: 1
im not to sure about this as i have had this deteced on my system, like everyone else i ran norton and it found nothing related to this virus but trend picked it up. the problem im having is that i found a file called NOTEPAD.exe so i deleted it, i also found loads of registry entries relating to it. And also found a funny entry in startup. the problem im having is that i cant get rid of it either but mine seems to be doing something, it wont let me speak to anyone on irc they cant hear me and i cant see any txt other than joins/quits in every channel, this is really annoying anyone else had this problem from the virus ???

#76430 08/04/04 12:30 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Britneyfan: realize that the earlier post was not referring to the valid MS windows application also called notepad.exe, which is in the windows directory. He was referring to one apparently found in windows/system32 (altho i'm not familiar with that issue so i cant comment further) I dont know which it is you found.

there are two issues. some ppl are actually infected by the trojan which drops a modified mIRC (and modifies the mIRC icon) and creates the files/registry entries detailed at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_IRCFLOOD.X&VSect=T You can read there what the trojan does.
Others are told its found, but have none of the mentioned entries/files. Whether its a false positive being triggered by similarities or not, we can only wait for Trendmicro to say so and patch for it. Those ppl are also not having any problems on IRC such as you describe, so yours may be a diff issue

Is the problem only in channels? are you able to msg ppl? have you tried other networks? do you see any error msgs in your status window? What is the "funny entry" that you have in startup?

this may sound silly, but it wouldnt hurt to check your colors to be sure you havent set others text the same color as your background (hold down your alt key and click the k key to see the colors dialog or click on the icon that looks like crayons)






ParaBrat @#mIRCAide DALnet
#76431 08/04/04 12:38 AM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
I appear to have notepad.exe in both c:\WINNT and in c:\WINNT\System32 and both are legitimate Microsoft Notepad executables so it appears that that bares no significance...

Edit:

OS of machine in question: Win2k SP4
OS installed: 4 days ago

#76432 08/04/04 12:50 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
ty for the info Deku, i run 98se and only have it under windows. i'm not sure what the post about it being in system32 is all about, since i'm not familiar with whatever trojan they mean. Mainly i wanted Britneyfan to be aware there is a legitimate MS notepad executable


ParaBrat @#mIRCAide DALnet
#76433 08/04/04 07:57 AM
Joined: Apr 2004
Posts: 2
P
Bowl of petunias
Offline
Bowl of petunias
P
Joined: Apr 2004
Posts: 2
I just wanted to note that no one has responded to my orignial post. I do am detecting Bkdr_Ircflood.X, but there are some additional/ different things I'm experiencing that might be to everyones interest. The virus I mention below is also IRC related, take a look
:

Let me begin by saying I've read every post here and still am not sure what to believe

One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert

the virus is worm_thrax.a

http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X.


I'd really like any information about this.

Thank you for reading.

Last edited by problem; 08/04/04 07:59 AM.
#76434 08/04/04 08:15 AM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
Speaking of notepad.exes. I have an extra one right now, in C:\WINNT\system32\dllcache. Before, I know for sure, I had only 2; one in c/winnt and c/winnt/system32. Anyone else have this?

I use win2k.

I don't have anything mysterious in my run/registry/sys memory. But, my comp's acting funny. For the love of my life I can't figure out how I lost a whole album (12songs frown ). This just paranoia. And my HLIT is all messed up. when I open it, it doesn't show any of my fav but, fav.dat is there w/ everything in it, the menu at the bottom is gone. It was working fine yesterday.

Perhaps formating is long overdue.

*********************

Btw, I heard that

/remote off
/timers off

are good commands to secure mirc.

#76435 08/04/04 08:38 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Of course check to see if any of the files/registry entries listed are on your computer. I'm afraid the only place any of us can get any info on if this one is a false positive is from Trendmicro. Have you contacted them to ask?

Since the trojan you referred to seems to drop modified mirc.ini and script.ini, i'd also take a look at the ones you have. If they look like they should, perhaps something in your legit ini files resemble a known trojan string. (it certainly isnt uncommon to have backdoors and nasties in scripts ppl download) Maybe include yours in a report to Trendmicro to give them something to go on? NOTE: be sure to remove any passwords you may have in your ini files before sending them off!

i'm not aware of anyone recieving emails from Trendmicro other than the one saying their virus doctors were looking into it. All any of us can do is check for what they say are dropped by these trojans and contact them if none of them are found. They need to know lots of ppl are having the problem and it isnt an isolated event. I know i'm not giving you any answers, but i cant, only Trendmicro can explain whats going on. If they are false positives, hopefully Trend will patch for them soon and stop giving us all gray hair.


ParaBrat @#mIRCAide DALnet
#76436 08/04/04 10:15 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
Hi i'm new to this forum so bare with me i just got through reading this thread i was having a prob wih my computer just started 2 days ago something was eating my memory running in the background i also have run every scan and found nothing then i ran trend and it found this malware.BCKDR_IRCFLOOD.X \and cleaned it
the thing that concerns me is i havent used mirc in over 6months so i dont know how i got this

#76437 08/04/04 10:29 PM
Joined: Feb 2003
Posts: 3,432
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Feb 2003
Posts: 3,432
it can come from a www page, a mail sent to you.. so dont have to be from mirc.. can even be included in som programs you have been installing lately..


if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
#76438 08/04/04 10:39 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
thanks sparta now u mention that i was in a site the other nite and a box popped up said it was downloading something grrrrrrrrrrrrrrrrrrrrrrrrr ao if trend said it deleted it does that mean i have got rid of it
confused

#76439 08/04/04 10:47 PM
Joined: Feb 2003
Posts: 3,432
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Feb 2003
Posts: 3,432
i supose so, if you didnt scan your computer online, then do so here ..


if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
#76440 08/04/04 11:50 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
i did scan with trnd thats who picked it up in the first place but being a paranoid owner of a sick puter im scanning again thanks again for ur advice

#76441 09/04/04 01:02 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
-General Reply-

In an attempt to stop people asking if they're infected or not, please read this before posting anymore! smile - This is just a summary of everything I can think of, gathered from other people's good advice throughout this thread and some areas off this thread.

Question: What's this all about?

People are finding that, when using Trendmicro's Housecall virus scan they are experiencing a virus detection of malware.Bkdr_Ircflood.X. CtrlAltDel posted a link to more technical information about this infection.

ParaBrat has pointed out before, there are two main issues with this situation:

1) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X. If this is the case, clean your system exactly as is told to you by Trendmicro.

2) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X and you have followed all of the instructions and you can't find any of the problems that it says you should have OR you scanned before, and cleaned everything, and it still detects you as infected.

I suggest you use the resources in this thread and choose an antivirus or trojan scanner other than Trendmicro. I would personally recommend AVG, The Cleaner AND Ad-Aware.
If ALL 3 of these programs say you are not infected with any backdoors (or at least not with malware.Bkdr_Ircflood.X) then I would say you are not infected and Trendmicro is wrongly detecting you as being infected. If they DO detect that you are infected then you may not have followed the instructions properly or Trendmicro may not have detected all strains (versions) of the virus on your computer - so use those programs to remove the program, reboot, and once again scan with those 3 programs to ensure non-infection.

If you are finding that Trendmicro is detecting this virus and NO other virus scanners are, then it is fairly safe to assume you are not infected.
Please remember, we cannot tell you if you're infected or not, you must scan for yourself! We cannot tell if Trendmicro is or is not properly detecting the virus.

Question: How did I get infected?

This obviously only applies if there was actually an infection detected. Sparta made some good suggestions as to how people can get infected:

- You could have got this through an email attachment. It's a good idea never to open email attachments without scanning them with a virus scanner first, even if an email is from one of your friends (I have seen a lot of people say their "friends" have planted trojans on their computers for a bit of fun. It may be fun for them, but if they shut down your computer every 5 minutes, or accidentally delete an important system file because they don't know what they are doing, it might not be so fun for you!)
- You may have visited a website which has exploited you and planted this virus on your computer. It's best not to go to websites when you're not 100% certain of what's on them. You could visit a website and it automatically starts to download something - NO legitimate website on the entire Internet will do this, if you can, stop the download immediately.
- You may have installed a program recently that contains it. For your own security you should not install programs unless you know they are perfectly safe - this may include checking up on their security certificates and the company who has signed the download.

The above 3 ways could have happened even if you have not used IRC for a number of days, weeks, months of even years, and you are just coming back to using IRC. However, there are general computer safety guidelines you should follow, and also very IRC-specific guidelines you should follow to ensure you remain safe from viruses and you keep your private information private. Those may include:

- NEVER accepting files from people on IRC. Only accept files from trusted friends, 'trusted' meaning you've known them for months if not years, not because they've been nice to you for a few hours.

- NEVER typing suspicious things that people tell you to type, especially if they contain //write $decode or any other long form of what appears to be a jumble of letters and numbers.

- ALWAYS having an antivirus installed on your computer. If they have auto-protect features then have it enabled.

- ALWAYS having the latest updates from www.windowsupdate.com.

- ALWAYS having the latest version of your software. mIRC is an important one to have updated to avoid any exploits that may be found. You can always get the most up to date version at www.mirc.com/get.html.

The above should help you protect yourself from further infection. This does not mean it's impossible for you to be infected, so don't disregard any warnings that Antivirus programs give you, but it gives you a good chance at not getting infected smile

Question: So what's being done about this?

Trendmicro emailed ytytyt and told him that their 'virus doctors' are looking into the situation. They also said to add mIRC.exe, for now, into your Exception List so that Trendmicro does not detect a virus in it. See this page for details.
Until there is another reply from Trendmicro nobody can give a definite answer as to whether or not this is a 100% certain "false positive" in Trendmicro. There is also very little we can do, as IRC users, other than wait.

Question: Shall I stop using Trendmicro? Delete it?

No smile - Let's not forget Trendmicro is still a good virus scanner and highly recommended by many websites, virus help channels and many IRC helpers. There does seem to be a slight glitch in how it scans mIRC, but other than that, it's good at picking up viruses and is a good addition to your computer!
That said, do remember as always, no ONE virus scanner can detect, protect and remove every virus threat - new viruses are released into the wild everyday, there are hundreds of different types of viruses, trojans, backdoors etc. You need at least 2-3 virus/trojan scanners on your computer for effective protection.

Conclusion:

1) Scan your computer with Trendmicro.
2) If malware.Bkdr_Ircflood.X is detected, clean it.
3) After a reboot and following instructions carefully, scan again.
4) If Trendmicro continues to detect 'malware.Bkdr_Ircflood.X' use 2-3 other programs to scan your computer
5) If they find nothing, you're probably not infected! laugh
6) If they do find something, clean your machine with those programs, reboot and rescan with those programs.

After that, you should be clean (once and for all!)

I hope this helps those people who browse this thread and prevents them from needing further help until Trendmicro gets back to someone about this issue =) - I by no means want to discourage people from posting if they have an issue, please do if you have more questions, but I think this post and the other posts throughout this thread answer a lot of questions that have been repeated and repeated!

Stay safe!

Regards,


Mentality/Chris
#76442 09/04/04 11:07 PM
Joined: Apr 2004
Posts: 1
J
Mostly harmless
Offline
Mostly harmless
J
Joined: Apr 2004
Posts: 1
i use Norton AntiVirus 2004. after i got that "virus" i noticed my Norton was disabled and the AutoUpdate was turned off. i used TrendMicro's free online scan to see what was the problem. I couldn't run nearly any .exe. I checked the registry to see if there was anything wrong. It looked fine. Then i went to Norton's website, and it found something wrong with the registry (the exact thing i checked. as if it were hidden or something). It cleaned it all up. Then I tried installing mirc again and running it. It came back. I recently did a scan again. Found a WORM in my computer. My antivirus would have caught it, but for some reason it didn't. I think that the IRCFLOOD thing allowed it to come into my system, if not installing it, itself. My system hasn't fully restored itself, yet. Everytime i would close something i use daily, an error would pop up.

And even now, i ran an old version of mirc from a CD, and the virus became active again. Is there a way to fully remove it?

I think that the mirc versions that have it, should be removed from the website. It seems to open up a port, that may be how i got the worm. Also, could you guys put an older version that doesn't have it, on the website please? I think you guys don't support the older versions right? Just put the disclaimer saying that you don't support it, and not to email you. It would be greatly appreciated. I have to run Trillian's IRC now, and i hate it.

Also: ever since that happened, i can't recieve downloads from anyone. I don't understand why, at all. Please, any suggestions and help would be greately appreciated.

#76443 09/04/04 11:23 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
"My antivirus would have caught it, but for some reason it didn't."

Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it to do so - that is why on this board we are constantly suggesting that people use more than one antivirus, to try and scan your computer from more than one angle. No one virus scanner can detect anything.

The mIRC download mirrors on www.mirc.com/get.html are perfectly safe - there are NO worms, backdoors, viruses, trojans or anything else malicious on those download mirrors or in the installer package that comes with it. Refer to the "How did I get infected" question in my last post (did you read that by the way? wink) You will also find a version 5.91 (the last 16-bit version of mIRC) on that download site. You can download old mIRCs from many websites, simply search Google, although I would strongly advise against it.

As I also said in my last post, *WE* cannot tell you if you have a virus or not - we have no access, remote or otherwise, to your computer (nor do we want that) and many of us are not virus professionals or anything. You need to scan your computer with several virus AND trojan scanners, and preferably spyware scanners to try and clean yourself.

If you're having problems with DCC receiving then make sure it's definitely *your* problem, usually it's the senders end. Try receiving files from 4-5 different people. If doesn't work with any of them, try reading http://www.mirc.co.uk/help/getproblems.html or run a search on the forums for "DCC" or "DCC Get" and expand to 'All Forums' and 'All Posts' for best results. This is probably not related to any infections you have, although a possibility.

Regards,


Mentality/Chris
#76444 10/04/04 12:26 AM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
Quote:
Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it do to so


Sadly, most of the time this could be avoided if those who are using NT-based versions of Windows didn't infact operate their computers as a user with full Administrator privilages.

If you operate your computer as a restricted user, download an infected file, and then execute the virus, it will be run with your permissions. So it will NOT be able to deactivate your AV software, it will NOT be able to write to the filesystem (except perhaps the C: root and any directories you have write access) and it will NOT be able to deliver a destructive payload. The only viruses that COULD would be the ones that are gained thru a system insecurity, a la MSBlast.

People need to sandbox themselves before any AV software and firewalls can be optimally effective.

#76445 11/04/04 11:28 AM
Joined: Apr 2004
Posts: 2
A
asa Offline
Bowl of petunias
Offline
Bowl of petunias
A
Joined: Apr 2004
Posts: 2
Hi everyone, I for one am POSITIVE that I am infact infected with this virus. I opened a malicious link (the link was to something.txt but the .txt was just the name of the directory the exploit was in) that an infected user had sent me. After being infected and many obsenties later, I discovered how it had gotten to my computer without me accepting any files.

The link uses a VBScript exploit in IE which drops a .exe which has several files packed in it. The files inside are "Load.dll", "fix.bat", "mirc.exe", and "shutdown.exe". Load.dll I assume contains API's for mirc.exe. Shutdown.exe is an auto-extractor which inside contains a shortcut to "%windir%\system32\shutdown.exe -s -t 00 -f" This simply shuts down the users computer instantly (-t 00) and forces the shutdown (-f). As of know, I have no idea whatsoever what mirc.exe does (usefull huh?), I assume this carries the payload and is what changes the registry entries noted in the trendmicro virus information. It is NOT a modified mirc client as I have ran it myself and nothing seems to run and I have monitored any open ports for a silent mirc client. fix.bat simply deletes the aforementioned files including itself and only contains
"del c:\load.dll
del c:\shutdown.exe
del c:\mirc.exe
copy c:\windows\notepad.exe c:\windows\system32\
del c:\fix.bat"

Why it copies notepad to system32, I have no clue.

ONLY after being infected with this virus, I have recieved the decetion of Ircflood.X by housecall.

#76446 11/04/04 12:32 PM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
Hmm. I have notepad in both system32 and winnt directories and I am not infected (win2k). Odd.

#76447 11/04/04 12:43 PM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
It is in XP too.

#76448 11/04/04 05:26 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Hi there asa smile

A couple of posts ago I did state:

- A link to more technical information that Trendmicro had released.
- We can do nothing about whether you're infected or not, nor explain why the virus does what it does
- That Trendmicro does correctly detect the infection, but does also detect it incorrectly on clean machines.
- That Trendmicro's 'virus doctors' are looking into the matter.

Excuse any arrogance, but I don't see the need for constant posting of people informing us that their infected or not, and re-answering questions that have already been answered several times!

Also, it's best not to post the same post in two threads which relate to the same thing wink

Stay safe smile

Regards,


Mentality/Chris
#76449 13/04/04 08:21 PM
Joined: Apr 2004
Posts: 1
T
Mostly harmless
Offline
Mostly harmless
T
Joined: Apr 2004
Posts: 1
Alright. I just finished pretty much EVERY post here and on that other website thread.

Let start by saying that this is 90% NOT a FALSE POSITIVE.
It's a mIRC backdoor/worm that's extremely dificult, if not impossible, to get rid of.

Like everyone else, housecall will find on my computer 'malware.BKDR_IRCFLOOD.X' trojan and simply report its successful identification and removal.

About a week ago I got a PM from a friend on a channel where I idle all the time.
It had couple of lines like "sap" and "hi" then followed by a link to a flash animation poking fun at microsoft windows.
Other people reported a link to a .jpg file or even a .txt file.
I did a Norton AV scan immediately after since my buddy told me that it wasn't him pm-ing me, but he's infected with a trojan. Norton didn't find anything, and it's been almost a week since then my mirc was working just fine.

Yesterday I joined my usual list of channels and within 2 minutes started receiving conspicious messages from people all over whom I don't know.
Their replies were consistent with what the worm pm's other users, especially when some of them commented on the flash animation 'microsoft OS sux' and so on.
Of course, I would get kicked/banned from channels and servers.

I knew immediately my computer was infected for sure.
I scanned many times with housecall and other utilities. Only housecall finds it, supposedly 'removes' it, but it's back there next time I start mirc.

My conclusion is that trendmicro/housecall is not mistaken, but it simply doesn't know (yet) how to propperly remove this serious threat. And all of you who think you are safe just because your mirc seems to be working fine think twice.
I would say that the clever design of the worm allows it to 'sleep' for a few days and then start causing troubles.

I'm not going to take chances with this worm, since as reported by trendmicro, it not only affects mirc behaviour, but it can also record my activity online, steal passwords and use my computer for DDOS attacks.

For now I'm booting into my linux install until I get time to do this and also install a hardware router/firewall.

I'll try one other thing mentioned on boards and let you know final result, although I'll still format, it's just too risky.

Good Luck.

#76450 13/04/04 08:54 PM
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
Trendmicro finds nothing on my computer, which is why i guessed it might not be a false positive.
why would it report detection on some computers if it's a false positive, i would say that it would detect it on all if it was.


New username: hixxy
#76451 15/04/04 08:21 PM
Joined: Apr 2004
Posts: 1
O
Mostly harmless
Offline
Mostly harmless
O
Joined: Apr 2004
Posts: 1
Whenever I connect to MIRC, I find this virus as well when I run the online scanner. However, I also get about 50 connection attempts from 69.50.181.165 hitting different ports, wanna.see.a.massdeop.us, MAIL.ATRIVO.COM . If you open tha secondt website address, there's a bunch of pictures and a video of some sort of party... I don't know if the two are related, however for me they did appear around the same time.

#76452 16/04/04 12:53 PM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
i am also having this problem, been looking for a couple days now and there are still no answers but i have sound some links on the mirc website that could help.

https://forums.mirc.com/showflat.php?Cat=...amp;amp;fpart=1

this page has several links that seem like they could be pretty helpful. i would try them but im on a public computer right now, so someone tell me if anything worked or not...

#76453 18/04/04 04:16 PM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
IS TRENDMICRO EVEN TRYING TO FIGURE THIS OUT?!

#76454 18/04/04 04:22 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Please read this post, it says just about everything that can be said at least from what I have seen.

There is however, no point in using caps (which is considered "shouting" on the Internet in general, including the IRC community) - Shouting at us is rude and uncalled for, no matter how frustrating something is smile - Especially when the answer lies in this very thread.

It was reported that Trendmicro's 'virus doctors' are looking into the matter - they may or may not have found an answer yet, these things can take time. There is little *WE* can do about the issue.

Happy chattin'.

Regards,


Mentality/Chris
#76455 18/04/04 05:45 PM
Joined: Apr 2003
Posts: 210
S
Fjord artisan
Offline
Fjord artisan
S
Joined: Apr 2003
Posts: 210
Like other people i get this error. For instance, When mirc is not open it will detect and clean the virus (whilst "scanning system files"). Then with any further virus scans the virus will not be found. However if I open mIRC and then close it again, And then re-scan it finds the same virus, Very odd, I can't think what mIRC could be adding to my "system files" even if it is a false pos. ?

After the virus is cleaned it isn't detect again until mIRC has been re-opened. So if mIRC is still open after a clean, the virus is not detected by further scans. So It seems mIRC creates some kind of file when it opens which housecall doesn't like.

I also tried this on a copy of 6.03 which i have stored in a different folder (which excludes the possibility of that 1 copy of mIRC being genuinly infected on my system?), Same results.

Note: When I say virus scan I am ofcourse talking about TM's Housecall.


Last edited by saxon; 18/04/04 05:59 PM.
#76456 18/04/04 09:37 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
I too am one of those people unable to find IEEXEC.EXE and everything else Trend Micro lists to remove from the registry, etc., etc., but enough about that.

Maybe this was a coincidence (I'm not sure if wabbyyy was referring to the same thing) but prior to the first scan I ran, I had rebooted after installing the monthly Windows updates and my computer was painfully slow - it took about 30 minutes to get to my desktop. In task manager, my cpu load was at 98-100% before I had even run any programs. 24 hours later or so, it started running normally just like that. Anyone else have this problem? I found one other incident like this on Google but I'm not sure if it's related to BKDR_IRCFLOOD.X or just a mere coincidence.

#76457 19/04/04 08:49 AM
Joined: Apr 2004
Posts: 1
M
Mostly harmless
Offline
Mostly harmless
M
Joined: Apr 2004
Posts: 1
I have the same problem like others that run mIRC. The "malware.BKDR_IRCFLOOD.X" is detected only with Trendmicro's software. Neither Norton, McAfee nor BitDefender found any traces of it. My mIRC client is currently version 6.14.

I have a question in regards to the "IEExec.exe" file. Is this file associated with Microsoft's .NET Framework?. These entries below are found along with the path pointing to the ieexec.exe file. These entries were found on two machines I have mIRC installed on. Seems like it does not like to be deleted. The file is copied back over as soon as it is deleted. Is it a windows protected system file? I assume booting into the recovery console to delete the file would work? Can someone confirm that "IEExec.exe" is a legitimate Microsoft .NET Framework file or not.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExec.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ieexec.exe.config.orig
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll

#76458 19/04/04 06:37 PM
Joined: Apr 2004
Posts: 1
A
Mostly harmless
Offline
Mostly harmless
A
Joined: Apr 2004
Posts: 1
Well, I read through all the posts in this topic, and I decided to check something. Now, I'd first noticed this on my own computer sometime after I came back from spring break last month, and only Housecall was detecting (neither NAV nor BitDefender registered anything). Very confusing, since I tend to be fairly paranoid about what I do with my computer, and I'd never had it before. Thing was, I couldn't remember whether this was pre- or post-upgrade to 6.14. So, I just tested this on my office computer, which I know was clean before I tried. I had mIRC v6.12 on my office computer, checked it with Housecall, nothing. I then upgraded it to v6.14, checked it with Housecall again, I got a hit. To me, this suggests that there's some change in these two versions that is being mistakenly identified as malware by Housecall. Anyone else clean with 6.12 want to try this to see if this also occurs? I can't imagine that there would have been a drastic code change that would have created this, but I'm not that savvy when it comes to code.

Last edited by Aurion; 19/04/04 06:39 PM.
#76459 19/04/04 08:35 PM
Joined: Oct 2003
Posts: 51
Z
zfr Offline
Babel fish
Offline
Babel fish
Z
Joined: Oct 2003
Posts: 51
Please don't delete any files or registry entries.

This is simply a bug in housecall.

If none of the other antivirus programs detects it, then you are not infected.

Housecall pops up the same message to me. But it does that way before it started scanning. And at the and of the scan it doesn't detect any infected files. Normally, it displays a list of infected files and suggestion on how to deal with them.

#76460 20/04/04 03:26 PM
Joined: Apr 2004
Posts: 1
F
Mostly harmless
Offline
Mostly harmless
F
Joined: Apr 2004
Posts: 1
norton found nothing and housecall did and for me its not just a bug.
I got a pm from a mate who had the ircflood and I clicked.
The same week I to started to pm people on my irc channels.
I searched al the google pages on malware.Bkdr_Ircflood.X and
Did not found the solution that fixt the problem.
I to have the IEExec.exe the config and the dll file thay always come back.
I hope virus directors are working on the ircflood and find a solution, now I cant use irc no more. confused



#76461 20/04/04 03:39 PM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
Quote:
...now I cant use irc no more.


Why not use another IRC client in the mean time? smile

#76462 20/04/04 05:28 PM
Joined: Apr 2004
Posts: 1
T
Mostly harmless
Offline
Mostly harmless
T
Joined: Apr 2004
Posts: 1
hi guys,

i´m new to this forum, i came here with the hope to find any solution for the BKDR_IRCFLOOD.X i caught up myself. Now i see u guys have either no solution. to me it happens the same way like to many of other guys in here as well. housecall found the trojan, i dont have IEEXEC.EXE nor any registry entries of it on my system. so the housecall "get rid" suggestions wont work for me. thats why i did some investigations on it

let me explain what i discovered so far. all started when i got pmed by a mate from a chan with a link inside what i clicked... dumbass me smile a couple of days later i wondered why i got scanned many times a day for Sokets de Trois v1, more then 20 times a day. my Norton Personal Firewall blocked them away, hopefully... by chance i found that housecall virus scan thingy and for pure curiosity i ran that scan and... BINGO, infected.
as i said above housecalls suggestions dont work for me so i started to investigate. i read several boards and such and found on that way this one here.
at first i noticed the Notepad.exe in my system32 folder which i dumped. after that i ran a registry cleaner which found 46!!! links related to notepad.exe in the system32 folder. i removed all of them and the system runs still solid. now i havent been scanned for Sokets de Trois v1 anymore. then i got HijackThis for informations on what is going on on my system. it detects anything what has been executed on the system. there were no suspects. probably u guys may be helped by it.
then i got Process Explorer which gives u infos on what is loaded. unfortunatly it wasnt any help for me but probably for u guys.

because i´m either not that trojan hunter crack, this is my first one, i thought why not to compare the HijackThis scans and probably we together are able to find that shitty thing.

this is my scan after starting mirc without doing the housecall clean up

Logfile of HijackThis v1.97.7
Scan saved at 19:26:41, on 20.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
C:\Programme\Trend Micro\Internet Security\tmproxy.exe
C:\Programme\Norton Personal Firewall\NISSERV.EXE
C:\Programme\DU Meter\DUMeter.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Norton Personal Firewall\IAMAPP.EXE
C:\Programme\Trend Micro\Internet Security\pccguide.exe
C:\Programme\Trend Micro\Internet Security\PCClient.exe
C:\Programme\Trend Micro\Internet Security\TMOAgent.exe
C:\Programme\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\WebWasher\wwasher.exe
C:\Programme\TuneUp Utilities\MemOptimizer.exe
C:\Programme\STK007\STK007M.exe
C:\Programme\ISDN Monitor\ISDNMO32.EXE
C:\Programme\Topdesk\TDeskDEU.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\mIRC\mirc.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freenet.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iamapp] C:\Programme\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WebWasher] C:\Programme\WebWasher\wwasher.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] C:\Programme\TuneUp Utilities\MemOptimizer.exe autostart
O4 - Startup: ISDN Monitor 32.lnk = C:\Programme\ISDN Monitor\ISDNMO32.EXE
O4 - Startup: TDeskDEU.lnk = C:\Programme\Topdesk\TDeskDEU.exe
O4 - Startup: Windows-Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: STK007 PNP Monitor.lnk = ?
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.6180902778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/de/techsupp/activedata/ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F49DA492-7B88-463F-B389-CA9A02F6DA76} - http://www.seagate.com/support/disc/asp/tools/de/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EB636CB-9E81-4A9E-8E36-3769378FD4E5}: NameServer = 213.148.129.10 213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{261BF471-5B25-4DE2-90B9-562280EE3F6B}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DB604B-581A-43A1-B664-34252880D5D4}: NameServer = 192.168.1.1


Togi

Last edited by Togi24; 20/04/04 05:50 PM.
#76463 20/04/04 05:52 PM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
Ok, I dont know how much of this will apply, but according to microsoft, THIS LINK says Win2k does this on install (2 copies of notepad.exe). Im not saying anybody is or is not affected by the all the viruses, just shedding more light on to the situation is all.

FYI, just replied to the LAST post so this is a general FYI smile


Those who fail history are doomed to repeat it
#76464 21/04/04 12:28 AM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
this is not just a bug in housecall, i am a paying customer of pccillin internet security as well as mcafee and pccillin continues to find this problem. it also continues to "clean" it and it is becoming very aggravating

i have emailed trendmicro about this and hopefully they will get back to me soon

#76465 21/04/04 07:17 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
I should imagine the general scanning process in Housecall and PCCillin are the same as they are both produced by Trendmicro.

Trendmicro have already been contacted, and as has been said before, they have said their 'virus doctors' are looking into it - if they haven't cured it by now, they probably won't do, but these things do take time.

-Generally speaking-

Sorry, but I have to wonder why people keep posting - everything that can be said has been said, and if people would just take a little time to browse this entire thread, every question possible related to this topic is answered. Grateful as I/we are for contributing technical details of the scan, to be blunt, it is of little use to us. Send it off to Trendmicro and let them analyse it. We cannot speak on behalf of Trendmicro. They must be contacted themselves, and we cannot come up with a cure for it!

Regards,


Mentality/Chris
#76466 22/04/04 01:29 AM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
i ran the trendmicro scanner and it said it found and cleaned it. It didn't do anything else. however whenever i try to open mirc i fail and when i run trendmicro again it finds the same virus.

#76467 22/04/04 03:23 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread.

If your question was about why you "try to open mirc i fail", we need a bit more info. Do you mean you cant bring mIRC up when you click on the shortcut, or cant connect to a server or what? If you can tell us exactly what happens and any error msgs, we might be able to help.


ParaBrat @#mIRCAide DALnet
#76468 22/04/04 04:12 AM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
Ok here's what i get. I open up mirc. I don't connect to any servers. I run trendmicro and i get a msg saying it found and cleaned malware.bkdr_ircflood.x. Now i close mirc and i run trendmicro again and it doesn't find anything. Then i open mirc again and i don't connect to any servers. I run trendmicro and i get the msg that it found and cleaned malware.bkdr_ircflood.x. So everytime i open up mirc the virus comes back

#76469 22/04/04 04:19 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
In that case, read what ParaBrat said wink

"Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread."

Now, read my post a few of posts up from this one under the General part of it...we really can't say much more. There is not much use telling us Trendmicro has found the virus we can't do anything about it, and we already know there is an issue (as there over 70 replies in this thread).

Also, and I don't want to sound arrogant/big-headed, but I did attempt to ask 90% of questions possible by gathering information from the other posts in this thread - see this post earlier on. Since then, I have only seen 2-3 reasonable replies.

To be honest, it seems people are posting now just because it's a big thread, for no particular reason, and making no effort to get past the first few posts.

Regards,


Mentality/Chris
#76470 22/04/04 04:25 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
your being unable to connect to a server may not have anything to do with this issue with trend. what msg are you getting when you try to connect? unable to connect? gline/kline? Are you sure that server is linked and working? (check on the networks website for a list of servers to try)

in your main mIRC window, type: (dont forget the /)
/server b0rk.uk.quakenet.org

if it doesnt connect, then try:
/server 213.221.165.248

if you cant connect, tell us the exact msg you see please


ParaBrat @#mIRCAide DALnet
#76471 22/04/04 04:40 AM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
i can connect to every server except for gamesurge. I was initally g-lined for having the virus. Since then it's been removed. Now here's what i'm doing. I open mirc. i try to connect to gamesurge and this is what i get:

* Connecting to irc.gamesurge.net (6667)
-
-irc.gamesurge.net- *** Looking up your hostname
-
-irc.gamesurge.net- *** Checking Ident
-
-irc.gamesurge.net- *** Couldn't look up your hostname
-
-irc.gamesurge.net- *** No ident response
-
Ping? Pong!
-
bots/clones #rofl.gov.
-
Closing Link: rtuyu by Geneva.CH.EU.GameSurge.net (G-lined)
-
* Disconnected

I've checked the gamesurge website and I currently have no g-line. I've also tried all of there servers and i get the same msg. I've posted on gamesurge's message boards and the admins say they removed my gline. But yet it still says i'm glined.

Any ideas?

#76472 22/04/04 04:45 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
That's down to GameSurge's administration I'm afraid - they must have missed the g-line, or they have checked an incorrect IP address. If you browse the web through a proxy that would produce an incorrect IP/hostname. There's nothing we can do I'm afraid, you'll have to walk through the process with them.

The reason you get it on all servers is because a g-line is a global ban - set on all servers.

Best of luck smile

Regards,


Mentality/Chris
#76473 22/04/04 11:18 AM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
"By opening that link (clanbase hacked, blablabla..), your browser gets redirected to sh0ut3tb34ts,tk. This URL points your browser to a page containing some malicious code. Using the security holes of some browsers, the worm will then download another file. After being executed automatically, this file will install a hidden mIRC-client on your PC. This client automatically connects to a certain IRC server and joins a certain channel. By typing some commands in this channel, that guy could get full control over your PC. For example, he could see any file on your computer. The script even contains a special command which reads your CD-Keys for Half-Life, Battlefield 1942 + Vietnam, UT 2004 and Quake 3 from your registry and sends them directly to him."

Thats what i'v heard about this virus, anyone knows if its true? I have also been infected and cant remove it. Everytime i start nnscript (mIRC) it somehow comes back. confused

Tried to delete the extra notepad.exe and all that.. makes no diffrence though. mad

#76474 22/04/04 11:57 AM
Joined: Apr 2004
Posts: 871
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 871
The shoutedbeats-tk trojan is only one of the many versions of mIRC-based trojans going around at the moment.

If you've been infected with that specific trojan, you could try this remover program (warning: use at your own risk!). However, please note that if you have been infected, the attacker has had full control over your system, so this remover tool is only the first step - you should definitely use recently updated anti-virus software as well (and that's always a good idea anyway, you might already have other infections on your system).


Saturn, QuakeNet staff
#76475 22/04/04 01:00 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
I tried that Q-fix, it said im all clear.. still housecall finds that virus everytime i restart mIRC, Panda and Norton Antivirus 2004 cant find anything though.. dont know which one of them to trust confused

#76476 22/04/04 01:07 PM
Joined: Apr 2004
Posts: 871
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 871
Please make sure you have read the previous posts in this thread...


Saturn, QuakeNet staff
#76477 22/04/04 01:38 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
i have.. not helping me much since noone really knows how to remove the virus, atleast not yet.. i'll just have to wait i guess.. or maybe its time for a format c:

#76478 22/04/04 03:17 PM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
has anyone else tried formatting or going back to system restore before the virus? I know a few ppl have and said that it didn't work

#76479 22/04/04 03:28 PM
Joined: Apr 2003
Posts: 210
S
Fjord artisan
Offline
Fjord artisan
S
Joined: Apr 2003
Posts: 210
No it doesnt work... You'll notice that Housecall cleans the virus, Until you open mIRC again and it's reinstated.

Housecall detects it whilst scanning system files, Whatever mIRC is adding there I don't know, As Housecall doesn't inform you what or where the infected object is.

#76480 22/04/04 04:28 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Quote:

not helping me much since noone really knows how to remove the virus, atleast not yet..


As I have said in previous posts as have others, this is an mIRC help board - we're not virus experts (specifically) and the people to handle it must be the people who are qualified to. We're simply volunteer helpers who know little more than you do - everything "we" do know is explained in this thread.

Information and manual removal information is posted around the Internet, look through this thread and you'll find a link that explains Trendmicro's method of removal - if you've followed those steps and don't find what it suggests or do actually follow the instructions and remove said files, then the chances are you're not infected anymore.

If your issue is not with malware.Bkdr_Ircflood.X then it does not relate to this thread. You will need to use 2-3 virus scanners, as you have done, and if one is finding an infection and 2 are not, use another 2 virus scanners. If neither of them find it either, the chances are you are not infected.

Fact is, we have no/little chance of being able to directly help you, we don't know your computer setup, or know about every single virus (there are hundreds/thousands). All we can do is to provide you with a link that explains the infection and how to remove it. You can find that yourself though using Google.

This thread isn't here to help with viruses in general, it was started to report a possible false positive in Trendmicro. Trendmicro have said their virus doctors are looking into it, we cannot say anymore because we don't actually know anymore!

Good luck smile

Regards,


Mentality/Chris
#76481 23/04/04 11:53 PM
Joined: Apr 2004
Posts: 1
E
Mostly harmless
Offline
Mostly harmless
E
Joined: Apr 2004
Posts: 1
I have the BKDR_IRCFLOOD.X malware on my computer too and am unable to connect to Dalnet .. I get akilled with the following message:
[1:38am] * Connecting to powertech.no.eu.dal.net (7000)
-
[1:38am] Local host: homebase (198.77.157.106)
-
[1:38am] ••• You are banned from connecting to this server ("You have been autokilled.")
-
[1:38am] -powertech.no.eu.dal.net- *** You are not welcome on this network.
-
[1:38am] -powertech.no.eu.dal.net- *** autokilled for [AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49)
-
[1:38am] -powertech.no.eu.dal.net- *** Your IP is 62.243.15.65
-
[1:38am] -powertech.no.eu.dal.net- *** For assistance, please email kline@dal.net and include everything shown here.
-
[1:38am] ••• Error: Closing Link: 0.0.0.0 ([AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49))
-
[1:38am] * Disconnected

I know that BKDR_IRCFLOOD.X is a dropper program that creates a folder (which I can' find) and creates an autorun registry entry that allows it to execute on every system startup.
It probably comes with mIRC 6.14 somehow and I have no idea how to get rid of it except go to housecall which finds that particualr file but not the rest of the files it drops. So every time I reboot, I have the same problem.

The files it drops are BKDR_IRCFLOOD.X .. BAT_IRCFLOOD.X and IRC_IRCFLOOD.X

It supposedly creates this folder (which I don't have)
C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\

When I do a search for BAT_IRCFLOOD.X the search comes up with 2 files .. lpt$vpn.867 and vptnfile.867 both are in C:\WINNT

I run Windows 2000 server and have no idea what to do.

#76482 24/04/04 12:03 PM
Joined: Aug 2003
Posts: 1,831
I
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
"C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\" I think should be "C:\%Windows%\Microsoft.NET\Framework\v1.0.3705\" - "Microsoft:NET" is invalid in a path. On a Win 2000 system, that will expand to C:\WinNT\Microsoft.NET\Framework\v1.0.3705\ (Assuming windows is installed on C drive and uses the default 'winnt' directory)

lpt$vpn.867: According to http://security.uwo.ca/antivirus/patches.html this is a pattern file for detection|removal of WORM_MSBLAST.A & VARIANTS

The url "http://kline.dal.net/exploits/akills.htm#os" Does not mention any particular trojan. There are many many such worms out there.

I suggest you download a couple of the trojan removers listed in this post, update them and scan. The shareware versions will mostly give you thirty days of full usage to try them out.

#76483 27/04/04 09:42 PM
Joined: Apr 2004
Posts: 4
K
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
i may have found a solution for some of us:

my circumstances were the so called "sleeper" trojan and i emailed trend micro about it and this is what i was told to do and i have not had any problems since:

1. Create a temporary folder in a location that you're familiar with (ie: Desktop, C:\, My Documents etc.). To create a folder, right click on your target location and select New > Folder. Rename the folder as 'system cleaner'.

2. Download sysclean.com here: http://www.trendmicro.com/ftp/products/tsc/sysclean.com
** Make sure to save sysclean.com to the 'system cleaner' folder created earlier, otherwise the scanning will not work.

3.You'll also need to download the latest pattern file. Sysclean.com will use the algorithms in this file to detect and clean viruses. Please download the latest virus pattern here: http://www.trendmicro.com/download/pattern.asp
** Once again, make sure to save the LPTxxx.zip file to the 'system cleaner' folder created earlier.

4. Once the virus pattern file download has been completed, you'll need to extract its contents to the 'system cleaner' folder. You'll need WINZIP to extract the contents of the file. Please visit our knowledgebase for the instructions.

5. Check the 'system cleaner' folder for the following files: sysclean.com & lpt$vpn.xxx. Once the files are present, please restart your computer and access Windows SAFE MODE.
1. Restart your computer
2. After the memory test and BEFORE the Windows' loading screen appears press F8 repeatedly
3. If successfully performed, a menu will be displayed. Choose 'Start Windows in Safe Mode' or 'Safe Mode'

6. Once in Safe Mode, simply double left click on the sysclean.com. It should start the scanning process and wipe out/clean viruses detected.

worked for me... if it doesn't work for anyone else than idk. just try it

#76484 30/04/04 09:20 PM
Joined: Dec 2002
Posts: 23
R
Ameglian cow
Offline
Ameglian cow
R
Joined: Dec 2002
Posts: 23
OK here is my problem with the whole situation, its been about 27 days since ytytyt first received an email respose from Trend. To not have any real answers on this subject almost a month later really iritates me (with Trend).
Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out. Maybe he already has and nothing relevant can be posted publicly yet.
For it to take this long seems to me that nothing is being done (by Trend) because they probably think its a false positive. Then again I may be quite wrong as I dont know any history with other viruses and how long new and/or possibly troublesome, difficult viruses take to be rssolved and fixes found for.
*wonders if ytytyt has yet received any response from Trend...* confused
Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?
Sorry but it really makes me MAD when someone/something prevents me from using mIRC to connect to IRC for almost 30 days! mad

(I have since formatted and am back on mIRC)


R¹¶¬³¥
#76485 30/04/04 09:38 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
"Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out."

Whilst Khaled is a famous guy on IRC, in the grand scheme of things he's not an A-List superstar. Him emailing Trendmicro may hold a little more salt with them as they've no doubt heard of mIRC due to it's use in infecting other people, but they probably won't feel hastened to answer him anymore than you or me emailing them.
Plus, me, you, or anyone here doesn't know whether Khaled actually has contacted them about the issue or not. Who knows what Trendmicro are doing..

By the way, Khaled's life is made a little more hectic due to what I can only assume is the thousands of emails he receives per day, and that's with all the junk mail excluded - and real life too, plus Arnie takes a lot of his time up wink

"Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?"

This page has some good ideas on what to do and as you may have heard already (as it has been mentioned several times in this thread) - this post has many resources to get yourself uninfected.

Best of luck.

Regards,


Mentality/Chris
#76486 30/04/04 11:31 PM
Joined: Aug 2003
Posts: 27
S
Ameglian cow
Offline
Ameglian cow
S
Joined: Aug 2003
Posts: 27
I'm really sorry to be another person adding to this thread, but I am really at a loss as to what do do, and I have been experiencing things that, after reading through all 5 pages of posts, no one else seems to have touched upon.

- I run AVG antivirus on my computer, which scans daily for me, and is updated weekly. A few days ago I started getting this message in relation to my AVG program:

Quote:
avgcc32.exe - Application Error
The Instruction at "0s5f4012a1" referenced memory at "0x00000004". The memory could not be "read".
Click on OK to terminate the program


So, I would click OK, and my AVG would shut down. When I would restarted AVG I would
a) get that same message again, and it would immediately shut down - THEN
b) I would manually launch AVG, get that same message again, and it did not shut down AVG, but when AVG launched, it showed the "Control Center" as not beng active and functional. Attempting to activate it sometimes worked, and sometimes caused AVG to shut down again.

- In an attempt to find out what was wrong, i tried to go to AVG's website at www.grisoft.com but always got the "this page could not be found" message.

- I tried other common/major antivirus websites, but was unable to access those as well, although all other websites loaded fine.

- I thought my problem was with AVG, so I uninstalled it, had a friend download the install file for me (as I was unable to access the website) and send me the install file. After reinstalling AVG, I was still getting the same error message.

- I then called a tech friend of mine, who suggested this:
a) deactivate system restore
b) Use Trend Mirco's online scanner to check for viruses.

I discovered I was unable to access Trend Micro's Homepage, but was able to access House Scanner page.

- I ran a scan using TM's House scan, and as it was doing the initial system scan, got the following message:

Quote:
Houseware has found and cleaned a malware.BKDR_IRCFLOOD.x


So, I clicked okay, and it then scanned my computer and found the following file:

Virus: DOS AGOBOT.HM
Scan result: Non Cleanable
File: c:\windows\system32\drivers\etc\hosts

Since it was not cleanable, I deleted the file.

- I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected.

- After doing this, I found I was then able to access antivirus websites once again, Including te ones at Trend Micro and Grisoft that I had previously not been able to access.

- I thought I had solved my problem, so I reacvtivated system retore, and rebooted my computer.

- after my computer rebooted AVG tried to launch, and I got the same error message again. Was able to open it manually and then manually active the "Control Center"

- I then launched all the programs I typically run on my computer, including two instances of mIRC (one for me, one for my bot), and several instant messaging programs.

- I found I was once again NOT able to access anti virus website. I was not able to access Grisoft nor Trend Micro's homepage.

- I once again found my way to Trend Micro's house scanner, and used it to can my computer. I found:
a) on the initial system scan "malware.BKDR_IRCFLOOD.x" was there once again
b) it once again found "DOS AGOBOT.HM" in the same location as before.

- I then found my way here and read through all 5 pages of posts, and found that no one else seemed to have experienced the same things as I have.

I'm not a very technical person, and I don't understand things about "registry's" or "keys" and i can't really understand all the things you all have said to look for and try.

Has anyone else found these same problems? Does anyone have any suggestion that can be made simple for someone who is a technical dummy?

Thank you, and I appoligize once again for adding to this already long thread.

shy


~~~

I'm a Scripting Newbie, please forgive my questions, and have patience with me. Thanks!
#76487 30/04/04 11:47 PM
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
At least I can help at least one person in this thread grin

the virus found in:
c:\windows\system32\drivers\etc\hosts
is most likely the reason why you cannot access those websites, the hosts file can be used to change where urls point to.
find:
c:\windows\system32\drivers\etc\hosts
and edit it to so only the following is in it:

127.0.0.1 localhost

the lines that start with an '#' are actually comments, so they are not important, you don't need to delete those lines.

Hope this helps a little bit smile

Edit: i'm guessing that AGOBOT (aka GAOBOT) will just change the hosts file back, but it's a temporary solution.

Last edited by tidy_trax; 30/04/04 11:49 PM.

New username: hixxy
#76488 01/05/04 01:06 AM
Joined: Aug 2003
Posts: 1,831
I
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
You should use a dedicated trojan cleaning program such as PestPatrol and/or TrojanRemover (or one of the others listed in this post) to get rid of Agobot.

#76489 01/05/04 06:55 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
FWIW, kbaumgar post (like 7 or 8 above this one in the thread) worked for me with the virus of the title of the thread. It ALSO worked for a friend of mine with other viruses she had so maybe give that a try (for those who have NOT yet done so AND are experiencing problems or getting trojan message alerts).


Those who fail history are doomed to repeat it
#76490 01/05/04 10:44 AM
Joined: Aug 2003
Posts: 1,831
I
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
Yeah, sysclean most likely does work just fine with some, or even most. smile

This...
"So, I clicked okay, and it then scanned my computer and found the following file:
  • Virus: DOS AGOBOT.HM
    Scan result: Non Cleanable
    File: c:\windows\system32\drivers\etc\hosts
Since it was not cleanable, I deleted the file.
- I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected.
"

... seems to indicate that Trend only found one file (hosts) in connection to that worm, in which case it couldn't possibly clean it as a modified hosts file is but one symptom of the worm (and of many others).

So I recommend a trojan scanner|remover, something I think everyone should have in their arsenal - along with at least one good AV program. smile

#76491 01/05/04 10:54 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541

1) I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected.
2) After doing this, I found I was then able to access antivirus websites once again, Including te ones at Trend Micro and Grisoft that I had previously not been able to access.
3) I thought I had solved my problem, so I reacvtivated system retore, and rebooted my computer.
4) after my computer rebooted AVG tried to launch, and I got the same error message again.


I would hope you would NOT repeat step #4 again because it SOUNDS like the virus is on that previous version of your OS and brought the virus back with it. I can only hope that some of the info posted here can at least lead you in the right direction. We're posting tons of updated info (as you can tell) when we find something new to add so it can help others (even if it turns out to be a "tried that, didnt work").

(general statement): I sure hope we (the IRC community) can now learn to NOT CLICK THINGS WE DONT KNOW ABOUT. A LOT of these TYPES of things can be avoided if we use a bit of discretion when clicking links, going to sites, etc. When in doubt, DONT CLICK A LINK IN MIRC. What's the harm from that, curiosity's gonna kill you? ;-)


Those who fail history are doomed to repeat it
#76492 01/05/04 11:03 AM
Joined: Aug 2003
Posts: 1,831
I
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
Turning System Restore off wipes all previous restore points. wink

#76493 01/05/04 11:05 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
I didnt know that (as I dont use an OS with Restore like XP has). A notable tidbit to say the least smile Thanks for the info


Those who fail history are doomed to repeat it
#76494 01/05/04 11:18 AM
Joined: Aug 2003
Posts: 1,831
I
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
No probs. smile
Sytem Restore is a pretty nice feature (XP and ME both have it), but if a virus gets backed up through it, the only way to clean it is to disable then reenable it.

#76495 01/05/04 11:25 AM
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
Problem with using a dedicated trojan remover is that it's already blocking some of the sites that (s)he could download one from. wink


New username: hixxy
#76496 01/05/04 11:35 AM
Joined: Aug 2003
Posts: 1,831
I
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
Perhaps, but then you dl one from MajorGeeks or PCWorld or some such mirror. smile

#76497 04/05/04 12:44 AM
Joined: May 2004
Posts: 1
H
Mostly harmless
Offline
Mostly harmless
H
Joined: May 2004
Posts: 1
hm well i read now trough all this comments and i have done all fixes,searched the registry entries and run 5 AV/trojan programs (Kaspersky,TheCleaner,AVG,Stinger,Panda) but no AV program found this trojan. then i started trendmicro online scan and it found the malware.Bkdr_Ircflood.X thingy . But always when i open my mirc the virus is there again i dont need to connect to a server or smt just load it and the virus is active . there is no new process running then like they said on the trendmicro hp so there are no registry entries aswell .
dont know what to do now hope trendmicro comes up with a solution/patch or whatever

#76498 05/05/04 01:02 AM
Joined: May 2004
Posts: 1
O
Mostly harmless
Offline
Mostly harmless
O
Joined: May 2004
Posts: 1
Trend Micro Has fixed this issue. No need to worry anymore.

#76499 05/05/04 10:18 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
What can I ask is you proof of this? Do they state somewhere that the issue's been resolved? Did they send you an email? Did you hear it from a friend of a friend of a friend? Did their virus scanner clean a virus for you? Im not doubting you, I just would like to know where the proof of this is before I blindly believe it, that's all. No offense intended


Those who fail history are doomed to repeat it
#76500 05/05/04 09:00 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
My thoughts exactly landon. Altho, when i checked, i did see that trend updated their patterns on may 3rd, and when i scanned there's no more of that ircflood found msg when none of the files/registry entries exist on my puter. Looks like they decided to fix it without fanfare i guess. I'd suggest anyone who has had the same issue (ie getting that msg but not finding any of the files or registry entries) try now and see what happens.


ParaBrat @#mIRCAide DALnet
Page 1 of 6 1 2 3 4 5 6

Link Copied to Clipboard