|
Joined: Mar 2004
Posts: 7
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Mar 2004
Posts: 7 |
I recently scanned my system with TrendMicro's HouseCall, and it found malware.Bkdr_Ircflood.X running in memory (and cleaned it). It never found any files that were infected with the virus, just said it was running in memory. I decided to format (it was time to format anyway), and after installing Windows XP and mirc 6.14 (did the same with 6.12), HouseCall found it again.
I was wondering if this was a HouseCall bug or if anyone else had this problem?
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
Sounds like it could be a false positive where the scanner thinks it found something from code (in a file) that mimics a virus. Did it find it in a mirc file or a mirc script (or neither)? EDIT - if you check the TROJAN INFO link, you can see a few other places to try and scan with for more of a well rounded idea/opinion
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Mar 2004
Posts: 7
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Mar 2004
Posts: 7 |
Thanks for the reply! It didn't find either mIRC itself or an mIRC script (didn't have one installed at time of scan). When it was scanning memory and system files, it would find malware.bkdr_ircflood.x if mIRC was running. If mIRC wasn't running at the time, it wouldn't find it.
I'm also scanning using tools from the thread you link right now. Of the few that have completed, only HouseCall house found this virus. I'm beginning to think that it is indeed a false positive detected by HouseCall.
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
Indeed, to follow on from above, it's always good practice to use more than one antivirus and/or trojan scanner. 'False positives' are common, and you can never be too safe. The opposite can be true aswell whereby an antivirus will not detect a virus but another one will. If the AVs you have, have an "Auto Protect" feature then you should have it enabled too. Stay safe Regards,
Mentality/Chris
|
|
|
|
Joined: Mar 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Mar 2004
Posts: 1 |
Hello, I'm having the exact same problem with the TrendMicro's HouseCall scanner. Everytime I open mIRC I get the BKDR_IRCFLOOD.X virus as the same problem you have. I did get rid of the ieexec.exe program, checked my registries to see if it's infected, but I found nothing. I too believe that the scanner is Fasle. If you happen to find a scanner that also picks BKDR.IRCFLOOD.X, please reply or e-mail me @ jamesbond236@hotmail.com with a apporiate title regarding the virus BKDR_IRCFLOOD.X which appears on the TrendMicro's HouseCall scanner. Thanks, - Jay
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
It's still a good virus scanner and is widely used even if it does turn up some wrong results - obviously it's just sensitive. If you simply scan with 2-3 of the virus scanners that appear in the Trojan resources thread you should know if you're clean or not. Just an FYI, I wouldn't suggest posting your email on the public Forum, spam bots crawl the web and pick up those emails subsequently spamming them. Stay safe Regards,
Mentality/Chris
|
|
|
|
Joined: Mar 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Mar 2004
Posts: 1 |
I've come up with the same. Digging through some logs and stuff, here is what is setting it off:
Debug Information Level=0 BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\DefaultIcon] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\command] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Application] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\ifexec] BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Topic] BackupRegKey[HKEY_CLASSES_ROOT\.cha] BackupRegKey[HKEY_CLASSES_ROOT\.chat]
and
Damage Cleanup Engine (DCE) 3.5(Build 1119) Windows XP(Build 2600: Service Pack 1)
Start time : Fri Mar 26 02:49:08 2004
Load Damage Cleanup Template (DCT) "H:\WINDOWS\tsc.ptn" (version 298) [success] BKDR_IRCFLOOD.X[virus found] -->delete registry data("HKEY_CLASSES_ROOT","ChatFile\DefaultIcon",""E:\mIRC\mirc.exe"") success -->delete registry key("HKEY_CLASSES_ROOT","ChatFile","") success -->delete registry key("HKEY_CLASSES_ROOT",".cha","") success -->delete registry key("HKEY_CLASSES_ROOT",".chat","") success
Complete time : Fri Mar 26 02:49:14 2004
Execute pattern count(718), Virus found count(1), Virus clean count(1), Clean failed count(0)
|
|
|
|
Joined: Mar 2004
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Mar 2004
Posts: 2 |
Yes, I also have received the BKDR_IRCFLOOD.x, and only Trend Micro seems to be finding this file, and each time it's Housecall removes it, and I reboot my computerand this file shows up again!
I have used NAV 2004 Pro, KAV, McAfee, AVG, Pest Patrol, Spybot Seach & Destroy, and Trojan Hunter, the GFI Online Trojan Scanner, and none of these showed BKDR_IRCFLOOD.x!
Is BKDR_IRCFLOOD.x actually a file, much less a form of malware? I have spent the better part of the past 5 hours scouring my two computers and notebook here at home.
Jammy
Skepticism Is A Virtue
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
I couldnt tell you as ths is not my area of expertise (aka how trojans work and what their filenames are called etc)
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Jun 2003
Posts: 994
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 994 |
I refuse to engage in a battle of wits with an unarmed person.
|
|
|
|
Joined: Sep 2003
Posts: 38
Ameglian cow
|
Ameglian cow
Joined: Sep 2003
Posts: 38 |
@rew: Debug Information Level=0 etc. So it's harmless?
Like almost everyone else I too have that backdoor on my system. Only trend micro seems to find it, but not on every system. Even at home, where I have 3 different computers, just 1 is "infected". Though I think nothing is wrong, (using cmd and looking at netstat gives on open connection I didn't open myself), I do found something else. When connecting to irc.quakenet.org and joining #5on5 I got G-Lined. (Probably just an on join G-Line). Still it's weird that everytime you start mirc again, you have been "infected" again.
|
|
|
|
Joined: Mar 2004
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Mar 2004
Posts: 2 |
Thanks! But ya know that I have never had any of those entries in my registry!!! I get so tired of manually going to my registry only to not find anything.
Trend Micro may have found something but how come none of the other AV programs can find anything?
Another reason why I agree that this is just a false positve.
Jammy
Skepticism Is A Virtue
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
it's not at all uncommon for one AV to find something that another one doesnt. have you contacted trendmicro to ask them to investigate whether its a false positive? don't just assume it is. altho, if it was something within the basic mIRC (as downloaded from mirc.com) triggering it, then seems like everyone with mIRC who uses housecall would get the same results
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Mar 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Mar 2004
Posts: 1 |
I too have had this "virus". However, for me it only comes back after I restart mirc. If I start mirc, exit, clean it, restart mirc....its there again. Dont open mirc, it doesnt appear!
I have none of those registry entries mentioned, nor the .exe file. Fortunately, I found this thread before I tried a format. Think I might try emailing Trend Micro about this.
kilo
|
|
|
|
Joined: Mar 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Mar 2004
Posts: 1 |
Have'nt you guys experienced any effects from the malware ?
For me the malware deleted all my Internet explorer Favorites ( which was extremely frustrating) and changed my startingpage.
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
I think what most of these guys are saying is that Trendmicro is turning up a confirmed infection when actually, they are not infected - meaning they would not suffer.
Perhaps you really were infected and therefore, you did.
Hope you manage to get back on track though :-)
Regards,
Mentality/Chris
|
|
|
|
Joined: Mar 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Mar 2004
Posts: 1 |
I have the same problem..can´t anyone help cleaning this virus?
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
CtrlAltDel provided a link to trendmicro that details how to clean that virus if you are in fact infected with it. Unless every file and all registry entries are removed, each time you open mIRC the trojan will restart.
Whether there is something triggering a false positive in puters that arent actually infected, i dont know
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
i have the same problem,
i find out that this worm is creating 3 files in folder %windows%\temp files are: mirc.exe , lol.exe and lol.bat
if i open any txt file , my system is shuting down (load at 1st the lol.bat file, and then the mirc.exe and lol.exe)
- trendmicro is the only tool to find this worm (but he didnt say what file is infected, only "systemfiles")
if i reinstall windows , i solved this problem, or i get this worm again if i connect to IRC ?
sorry for my bad english best regards Whity
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
You have to delete Windows\System32\notepad.exe which is a self extracting file - virus. You can either:
1) replace this file with the standard Windows/notepad.exe
2) delete any reference to 'System32\notepad.exe' in your registry. When you do that, if you try and open a txt file, windows will ask you to select a program to open it with - just choose Windows\notepad.exe
|
|
|
|
Joined: Oct 2003
Posts: 16
Pikka bird
|
Pikka bird
Joined: Oct 2003
Posts: 16 |
"Good day! I apologize for the inconvenience we are causing you. Please place the mIRC executable in the exception list to avoid the false detection: http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=17323In the meantime, we will inform our virus doctors regarding this problem so that they can analyze it. Thank you for using Trend Micro for your computer protection software. Please do not hesitate to let us know if you have further inquiries. Other means of reaching our office are indicated below. Regards, Trend Micro, Inc. John Lolin Consumer Support Team" wel ... ok ? dslreports
"ytytyt = a lamers' version of asdf"
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
thanks for the info, just saw it today myself. hopefully someone will keep us updated with what TrendMicro's further analysis comes up with.
Word of caution: its always best to thoroughly check for the items that are listed as being part of this or any virus to be on the safe side. Dont just assume anything found is a false positive until you are sure.
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Sep 2003
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Sep 2003
Posts: 1 |
the soloution was great but only intended for trend 2004...i have an updated trend 2002 and still i get a series of dos attacks whenever i log on to mirc so i have to reboot again. i tried looking for the exception folder myself and found it and included the mirc folder but still after a few minutes logging in it..same result..dos attacks..then reboot. thanks for the info and i apologized for asking...i must accept im a newbie to pc security. good day!
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
If you are re-installing mIRC from an executable that you have stored on a CD somewhere, then maybe that executable is infected - probably downloaded from a site other than those specified at www.mirc.com.If those 3 files keep reapperaing even after a re-install, then I'd redownload the mIRC installation program from a reputable source!
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
wow there is still no fix for this?
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
Yes there is. After just a quick look, I believe that this is a false positive. At least I hope.
The solution to this "virus" appears to be to install version 5.7.
Something in the registry I think that was added in version 5.8 and above, or something appears to trigger the Trend Micro alarm. I'm not sure what this could be, perhaps it is the registry keys indicated in the previous post.
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
I have this, too. And I just got this yesterday night when I clicked on a link in a channel. It was from a person I know so, I didn't think it was fishy. Also, once you are infected w/ this, you advertise that link at certain intervals and only other ppl can see that link and not you, so you don't know about it. I never had anything of this sort before so I _don't_ think this is a false positive. I have also come to the following conclusion (like some before): -it's a mirc backdoor. -it doesn't self-re-install after booting your comp. -it does that only after mirc.exe is executed. -so far, only trend micro has picked this up. ********************************* I went to this site for help, http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X (someone here posted it). But, I am having some problems w/ their manual removal. Go to the directory where the file IEEXEC.EXE is located. Open a command prompt in this location. Type the following: C:\ieexec.exe – uninstall Press Enter to remove the application. I can't find a file named "ieexec.exe." Open Registry Editor. Click Start>Run, type Regedit then hit Enter. In the left panel, double click the following: HKEY_CLASSES_ROOT>irc>Shell>open>command In the right panel, locate the following entry: (Default) = <current directory>\IEEXEC.EXE Again, I didn't have ieexec.exe key in there. Although, my key had " -no connect" at the end. Does anyone know what that means? I removed. mIRC seems to be working fine so far. In the left panel, double-click the following: HKEY_CLASSES_ROOT>ChatFile>Shell>Open>Command I don't have a key named "chatfile." And similar problems w/ the rest of their solution. I am actively seekying a resolution to this and will post when I find something new. *sigh*
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
as i said in an earlier post, that trojan does exist in the wild, so its always possible some users are actually infected. Its only been happening recently with trendmicro's housecall that some ppl are being told they are infected with it but when they check, they dont have any of the files or registry changes noted as being dropped by that trojan. Trendmicro has said their virus doctors are investigating to see if there is something triggering a false postive. Until someone gets a response from them with the results of their analysis, we can only speculate.
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
Hi. I'm brand new to this board, but I've been on mIRC a good six years now. I know better than to accept files ppl send to me without my having asked for them. I know better than to click on url's posted by just anyone in a channel. I know better than to type whatever someone may say to type. I too am having the BKDR_IRCFLOOD.X problem with trend micro. This time though, I watched carefully (for once) and the message just said HouseCall had found a malware.BKDR_IRCFLOOD.X and had cleaned it. It didn't say where it was found or which file it was found in. So, I went back to mIRC, and connected to my favorite server, then disconnected, and sure enough, it happened again. So, again, I reconnected to mIRC and disconnected. Then I went through the regedit procedure, and lo and behold none of the items mentioned by Trend Micro (or HouseCall whichever they prefer to call themselves) were listed in the regedit area. Therefore, my conclusion is, yes it, in my case at least, is a false alarm. (I used to run Pc Cillen II years ago, back in the days when puters wore animal skins, and it gave a false positive on an animated card a friend of mine sent to about six of us. Everyone else was running Nortons or Macafees, but me, and their a/v proggies did not hit on that card as being a virus. It was the title that set it off for me (apparently PC Cillen was super sensitive back then?) I spent something like four hours online with a friend that night trying to figure out if I had been infected or not (I was a true newbie in those days). I have to wonder if all of us who are having this problem are using the same version of mIRC? I'm running 6.12. I d/l mine from the official website too. Perhaps we're the only ones affected and therefore it's some sort of a benign glitch in the mIRC program itself??? Any thoughts (afterall, I may have been around the block a few times on mIRC, but I'm no puter pro for sure). I've been hit with so many things, and luckily my e_trust program has pulled my fat out of the fire each time. Anyway, I've rambled on enough for the new kid on the block. And thanks to whoever it was that posted those links for other sites offering free online scans. I ran one of the spy bot checkers (whatever the tecchie term is), and I am free and clean of ickies like that too...thanks again! ouizee
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
its only been happening recently, and reports from users say its happening on more than one version of mIRC. I use housecall regularly and checked for all the files and registry entries before using it this time. (last time i had no probs) None present. Had the same thing happen that you and others report using Housecall. Opened mIRC (didnt even bother to connect), checked again, ran the scan again. Same thing. While i am inclined to agree it is indeed a false positive for many ppl (especially since no one is more neurotic about avoiding potential for trojans than i am) until Trendmicro's virus docs figure out what's going on we're making educated guesses. Check it out, run a couple other things to be sure, and wait for them to let us know their findings. I'm sure if it is a false positive they will make the necessary tweaks.
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
I'm having the exact same problem as johnbull. I've run every free AV program I can get my hands on. I've also run Spybot and Ad-Aware, yet only trendmicro finds it, and my typical trendmicro run ends up with the same results as john's. For the most part, I believe it is a false positive, yet for some reason I've been mysteriously k-lined from a server I very rarely join on plus the servers I idle on frequently, I tend to get nickserv killed and I get more software connection aborts. Before I noticed I had this malware.bkdr_ircflood.x on my computer, I hardly ever had any of these problems. Now they happen 1-2 times an hour. I'm starting to get worried, because I have no clue where this trojan is at, if I do, in fact, have one. I hope someone finds an answer quick.
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
I wouldn't mind at all if this was a false positive but, the thing is "Why now?"
I've been scanning my comp w/ trend micro for a long time and did couple of days before mirco caught it.
And another thing, right now, there are so many of these links running around rampant on mirc. I've never seen so many infected ppl (ppl advertising, which they can't see).
Now, if I am not infected w/ anything then why was I advertising the infection borne link?
My guess is that this is opening a port (obviously). It's only a matter of time when he installs a trojan through that port. So, what I do is this; scan after I connect to mirc (don't have to scan the whole hd just till MT removes this thing.)
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
AV constantly add things, i didnt have any problem a couple days before either. Its always possible someone is actually infected, but when none of the files or registry changes are present, ppl cant help but wonder if its a false positive. they do happen
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Apr 2004
Posts: 2 |
Let me begin by saying I've read every post here and still am not sure what to believe One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert the virus is worm_thrax.a http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X. I'd really like any information about this. Thank you for reading.
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
Read this thread, http://www.esreality.com/?a=post&id=647799 , too. Some of these guys ARE infected with a " wsz32.exe." Again, I found nothing of the sort.
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
simular but would like to add: using xp pro
when i found that there was no 'chatfile' key in my registry, i did a system restore to a point before i had the virus and the chatfile key was there. kinda made me doubt that this is a false positive.... I then un-did the system restore and did the following.
a registry search [start-run-regedit-click edit-find-then type in the file name] for the IEEXEC.EXE file and found it along with BKDR_IRCFLOOD* and malware.BKDR_IRCFLOOD.* Next i removed those 'entrys' from my registry, just deleted the info and left the field blank.
Today i did the same registry search and the IEEXEC.EXE file is back but the other two files were not present.
During all of this i countiued to scan using trendmicro and the 'malware cleaned' pop up would occure every time even though i had removed the files from my registry.
if this is a false positive, it sure is an active one!!!
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
I really do think this is a false positive for some. For those like me, (where during the "system file" search, which is prior to searching any files, it says "found and cleaned malware.Bkdr_Ircflood.X", but does not list any files, and then the check runs through all files on the hard drive and finds nothing. I checked on the page given earlier "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X" which lists details about the virus. Under my registry entry, the default points to mirc.exe like it should, and not ieexec.exe like the page says it does. Also, I think I know why everytime you restart mIRC it will re-find the virus and clean it again. On that same page it talks about many registry locations of "chatfile...". Well apparently, when you start up mIRC, all these entries are created. I checked them, and they all pointed to mirc.exe and not ieexec.exe, however, I believe that the trendmicro scanner is seeing these entries and assuming that it is the virus, and deletes those entries. Because after I run the virus scan and it says it cleaned it, I can no longer find any entries of "chatfile...". However, again if I close mIRC and restart it, those entries are back. I think this is where the false positives are coming from. Just a guess. Anyone care to comment on this? Please let me know, if you are like me, and have to same thing, with those reg entries reapearing everytime you start mIRC, but with them pointing to your mirc.exe and not an ieexec.exe. Thanks.
PS. This is not directed to any one person. Just to those that are having a similar situation where NO FILES are listed as infected, just during the "system file" scan at the beginning.
One final thing, just so someone can verify this for me. I have mIRC version 6.14 downloaded from mirc.com and installed. My mirc.exe has a MD5 Sum of: 31F010FCF0B67737B04F3B8F2C2639F5 If someone else who does NOT have this problem can check theirs and see if it matches mine, that would be great. Thanks.
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
This is starting to really annoy me.. I've done everything I can to get rid of this. I've found nothing that housecall says I should find. No virus's trojans worms, nothing. Yet I still get this msg when I scan.. So is this something we can ignore?
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
Id say (after all this time) if trend still finds issue BUT when you follow their advice you see none of the harmful things (files/entries) that you should keep it in mind, but not worry about it as much as it (to me) SOUNDS like a false positive. I figure they'll figure this out soon and then we can be done with this once and for all lol
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
im not to sure about this as i have had this deteced on my system, like everyone else i ran norton and it found nothing related to this virus but trend picked it up. the problem im having is that i found a file called NOTEPAD.exe so i deleted it, i also found loads of registry entries relating to it. And also found a funny entry in startup. the problem im having is that i cant get rid of it either but mine seems to be doing something, it wont let me speak to anyone on irc they cant hear me and i cant see any txt other than joins/quits in every channel, this is really annoying anyone else had this problem from the virus ???
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
Britneyfan: realize that the earlier post was not referring to the valid MS windows application also called notepad.exe, which is in the windows directory. He was referring to one apparently found in windows/system32 (altho i'm not familiar with that issue so i cant comment further) I dont know which it is you found. there are two issues. some ppl are actually infected by the trojan which drops a modified mIRC (and modifies the mIRC icon) and creates the files/registry entries detailed at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_IRCFLOOD.X&VSect=T You can read there what the trojan does. Others are told its found, but have none of the mentioned entries/files. Whether its a false positive being triggered by similarities or not, we can only wait for Trendmicro to say so and patch for it. Those ppl are also not having any problems on IRC such as you describe, so yours may be a diff issue Is the problem only in channels? are you able to msg ppl? have you tried other networks? do you see any error msgs in your status window? What is the "funny entry" that you have in startup? this may sound silly, but it wouldnt hurt to check your colors to be sure you havent set others text the same color as your background (hold down your alt key and click the k key to see the colors dialog or click on the icon that looks like crayons)
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
I appear to have notepad.exe in both c:\WINNT and in c:\WINNT\System32 and both are legitimate Microsoft Notepad executables so it appears that that bares no significance...
Edit:
OS of machine in question: Win2k SP4 OS installed: 4 days ago
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
ty for the info Deku, i run 98se and only have it under windows. i'm not sure what the post about it being in system32 is all about, since i'm not familiar with whatever trojan they mean. Mainly i wanted Britneyfan to be aware there is a legitimate MS notepad executable
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Apr 2004
Posts: 2 |
I just wanted to note that no one has responded to my orignial post. I do am detecting Bkdr_Ircflood.X, but there are some additional/ different things I'm experiencing that might be to everyones interest. The virus I mention below is also IRC related, take a look : Let me begin by saying I've read every post here and still am not sure what to believe One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert the virus is worm_thrax.a http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X. I'd really like any information about this. Thank you for reading.
Last edited by problem; 08/04/04 07:59 AM.
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
Speaking of notepad.exes. I have an extra one right now, in C:\WINNT\system32\dllcache. Before, I know for sure, I had only 2; one in c/winnt and c/winnt/system32. Anyone else have this? I use win2k. I don't have anything mysterious in my run/registry/sys memory. But, my comp's acting funny. For the love of my life I can't figure out how I lost a whole album (12songs ). This just paranoia. And my HLIT is all messed up. when I open it, it doesn't show any of my fav but, fav.dat is there w/ everything in it, the menu at the bottom is gone. It was working fine yesterday. Perhaps formating is long overdue. ********************* Btw, I heard that /remote off /timers off are good commands to secure mirc.
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
Of course check to see if any of the files/registry entries listed are on your computer. I'm afraid the only place any of us can get any info on if this one is a false positive is from Trendmicro. Have you contacted them to ask?
Since the trojan you referred to seems to drop modified mirc.ini and script.ini, i'd also take a look at the ones you have. If they look like they should, perhaps something in your legit ini files resemble a known trojan string. (it certainly isnt uncommon to have backdoors and nasties in scripts ppl download) Maybe include yours in a report to Trendmicro to give them something to go on? NOTE: be sure to remove any passwords you may have in your ini files before sending them off!
i'm not aware of anyone recieving emails from Trendmicro other than the one saying their virus doctors were looking into it. All any of us can do is check for what they say are dropped by these trojans and contact them if none of them are found. They need to know lots of ppl are having the problem and it isnt an isolated event. I know i'm not giving you any answers, but i cant, only Trendmicro can explain whats going on. If they are false positives, hopefully Trend will patch for them soon and stop giving us all gray hair.
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
Hi i'm new to this forum so bare with me i just got through reading this thread i was having a prob wih my computer just started 2 days ago something was eating my memory running in the background i also have run every scan and found nothing then i ran trend and it found this malware.BCKDR_IRCFLOOD.X \and cleaned it the thing that concerns me is i havent used mirc in over 6months so i dont know how i got this
|
|
|
|
Joined: Feb 2003
Posts: 3,432
Hoopy frood
|
Hoopy frood
Joined: Feb 2003
Posts: 3,432 |
it can come from a www page, a mail sent to you.. so dont have to be from mirc.. can even be included in som programs you have been installing lately..
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
thanks sparta now u mention that i was in a site the other nite and a box popped up said it was downloading something grrrrrrrrrrrrrrrrrrrrrrrrr ao if trend said it deleted it does that mean i have got rid of it
|
|
|
|
Joined: Feb 2003
Posts: 3,432
Hoopy frood
|
Hoopy frood
Joined: Feb 2003
Posts: 3,432 |
i supose so, if you didnt scan your computer online, then do so here ..
if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
i did scan with trnd thats who picked it up in the first place but being a paranoid owner of a sick puter im scanning again thanks again for ur advice
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
-General Reply- In an attempt to stop people asking if they're infected or not, please read this before posting anymore! - This is just a summary of everything I can think of, gathered from other people's good advice throughout this thread and some areas off this thread. Question: What's this all about? People are finding that, when using Trendmicro's Housecall virus scan they are experiencing a virus detection of malware.Bkdr_Ircflood.X. CtrlAltDel posted a link to more technical information about this infection. ParaBrat has pointed out before, there are two main issues with this situation: 1) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X. If this is the case, clean your system exactly as is told to you by Trendmicro. 2) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X and you have followed all of the instructions and you can't find any of the problems that it says you should have OR you scanned before, and cleaned everything, and it still detects you as infected. I suggest you use the resources in this thread and choose an antivirus or trojan scanner other than Trendmicro. I would personally recommend AVG, The Cleaner AND Ad-Aware. If ALL 3 of these programs say you are not infected with any backdoors (or at least not with malware.Bkdr_Ircflood.X) then I would say you are not infected and Trendmicro is wrongly detecting you as being infected. If they DO detect that you are infected then you may not have followed the instructions properly or Trendmicro may not have detected all strains (versions) of the virus on your computer - so use those programs to remove the program, reboot, and once again scan with those 3 programs to ensure non-infection. If you are finding that Trendmicro is detecting this virus and NO other virus scanners are, then it is fairly safe to assume you are not infected. Please remember, we cannot tell you if you're infected or not, you must scan for yourself! We cannot tell if Trendmicro is or is not properly detecting the virus. Question: How did I get infected? This obviously only applies if there was actually an infection detected. Sparta made some good suggestions as to how people can get infected: - You could have got this through an email attachment. It's a good idea never to open email attachments without scanning them with a virus scanner first, even if an email is from one of your friends (I have seen a lot of people say their "friends" have planted trojans on their computers for a bit of fun. It may be fun for them, but if they shut down your computer every 5 minutes, or accidentally delete an important system file because they don't know what they are doing, it might not be so fun for you!) - You may have visited a website which has exploited you and planted this virus on your computer. It's best not to go to websites when you're not 100% certain of what's on them. You could visit a website and it automatically starts to download something - NO legitimate website on the entire Internet will do this, if you can, stop the download immediately. - You may have installed a program recently that contains it. For your own security you should not install programs unless you know they are perfectly safe - this may include checking up on their security certificates and the company who has signed the download. The above 3 ways could have happened even if you have not used IRC for a number of days, weeks, months of even years, and you are just coming back to using IRC. However, there are general computer safety guidelines you should follow, and also very IRC-specific guidelines you should follow to ensure you remain safe from viruses and you keep your private information private. Those may include: - NEVER accepting files from people on IRC. Only accept files from trusted friends, 'trusted' meaning you've known them for months if not years, not because they've been nice to you for a few hours. - NEVER typing suspicious things that people tell you to type, especially if they contain //write $decode or any other long form of what appears to be a jumble of letters and numbers. - ALWAYS having an antivirus installed on your computer. If they have auto-protect features then have it enabled. - ALWAYS having the latest updates from www.windowsupdate.com. - ALWAYS having the latest version of your software. mIRC is an important one to have updated to avoid any exploits that may be found. You can always get the most up to date version at www.mirc.com/get.html. The above should help you protect yourself from further infection. This does not mean it's impossible for you to be infected, so don't disregard any warnings that Antivirus programs give you, but it gives you a good chance at not getting infected Question: So what's being done about this? Trendmicro emailed ytytyt and told him that their 'virus doctors' are looking into the situation. They also said to add mIRC.exe, for now, into your Exception List so that Trendmicro does not detect a virus in it. See this page for details. Until there is another reply from Trendmicro nobody can give a definite answer as to whether or not this is a 100% certain "false positive" in Trendmicro. There is also very little we can do, as IRC users, other than wait. Question: Shall I stop using Trendmicro? Delete it? No - Let's not forget Trendmicro is still a good virus scanner and highly recommended by many websites, virus help channels and many IRC helpers. There does seem to be a slight glitch in how it scans mIRC, but other than that, it's good at picking up viruses and is a good addition to your computer! That said, do remember as always, no ONE virus scanner can detect, protect and remove every virus threat - new viruses are released into the wild everyday, there are hundreds of different types of viruses, trojans, backdoors etc. You need at least 2-3 virus/trojan scanners on your computer for effective protection. Conclusion: 1) Scan your computer with Trendmicro. 2) If malware.Bkdr_Ircflood.X is detected, clean it. 3) After a reboot and following instructions carefully, scan again. 4) If Trendmicro continues to detect 'malware.Bkdr_Ircflood.X' use 2-3 other programs to scan your computer 5) If they find nothing, you're probably not infected! 6) If they do find something, clean your machine with those programs, reboot and rescan with those programs. After that, you should be clean (once and for all!) I hope this helps those people who browse this thread and prevents them from needing further help until Trendmicro gets back to someone about this issue =) - I by no means want to discourage people from posting if they have an issue, please do if you have more questions, but I think this post and the other posts throughout this thread answer a lot of questions that have been repeated and repeated! Stay safe! Regards,
Mentality/Chris
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
i use Norton AntiVirus 2004. after i got that "virus" i noticed my Norton was disabled and the AutoUpdate was turned off. i used TrendMicro's free online scan to see what was the problem. I couldn't run nearly any .exe. I checked the registry to see if there was anything wrong. It looked fine. Then i went to Norton's website, and it found something wrong with the registry (the exact thing i checked. as if it were hidden or something). It cleaned it all up. Then I tried installing mirc again and running it. It came back. I recently did a scan again. Found a WORM in my computer. My antivirus would have caught it, but for some reason it didn't. I think that the IRCFLOOD thing allowed it to come into my system, if not installing it, itself. My system hasn't fully restored itself, yet. Everytime i would close something i use daily, an error would pop up.
And even now, i ran an old version of mirc from a CD, and the virus became active again. Is there a way to fully remove it?
I think that the mirc versions that have it, should be removed from the website. It seems to open up a port, that may be how i got the worm. Also, could you guys put an older version that doesn't have it, on the website please? I think you guys don't support the older versions right? Just put the disclaimer saying that you don't support it, and not to email you. It would be greatly appreciated. I have to run Trillian's IRC now, and i hate it.
Also: ever since that happened, i can't recieve downloads from anyone. I don't understand why, at all. Please, any suggestions and help would be greately appreciated.
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
"My antivirus would have caught it, but for some reason it didn't."Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it to do so - that is why on this board we are constantly suggesting that people use more than one antivirus, to try and scan your computer from more than one angle. No one virus scanner can detect anything. The mIRC download mirrors on www.mirc.com/get.html are perfectly safe - there are NO worms, backdoors, viruses, trojans or anything else malicious on those download mirrors or in the installer package that comes with it. Refer to the "How did I get infected" question in my last post (did you read that by the way? ) You will also find a version 5.91 (the last 16-bit version of mIRC) on that download site. You can download old mIRCs from many websites, simply search Google, although I would strongly advise against it. As I also said in my last post, *WE* cannot tell you if you have a virus or not - we have no access, remote or otherwise, to your computer (nor do we want that) and many of us are not virus professionals or anything. You need to scan your computer with several virus AND trojan scanners, and preferably spyware scanners to try and clean yourself. If you're having problems with DCC receiving then make sure it's definitely *your* problem, usually it's the senders end. Try receiving files from 4-5 different people. If doesn't work with any of them, try reading http://www.mirc.co.uk/help/getproblems.html or run a search on the forums for "DCC" or "DCC Get" and expand to 'All Forums' and 'All Posts' for best results. This is probably not related to any infections you have, although a possibility. Regards,
Mentality/Chris
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it do to so Sadly, most of the time this could be avoided if those who are using NT-based versions of Windows didn't infact operate their computers as a user with full Administrator privilages. If you operate your computer as a restricted user, download an infected file, and then execute the virus, it will be run with your permissions. So it will NOT be able to deactivate your AV software, it will NOT be able to write to the filesystem (except perhaps the C: root and any directories you have write access) and it will NOT be able to deliver a destructive payload. The only viruses that COULD would be the ones that are gained thru a system insecurity, a la MSBlast. People need to sandbox themselves before any AV software and firewalls can be optimally effective.
|
|
|
|
Joined: Apr 2004
Posts: 2
Bowl of petunias
|
Bowl of petunias
Joined: Apr 2004
Posts: 2 |
Hi everyone, I for one am POSITIVE that I am infact infected with this virus. I opened a malicious link (the link was to something.txt but the .txt was just the name of the directory the exploit was in) that an infected user had sent me. After being infected and many obsenties later, I discovered how it had gotten to my computer without me accepting any files.
The link uses a VBScript exploit in IE which drops a .exe which has several files packed in it. The files inside are "Load.dll", "fix.bat", "mirc.exe", and "shutdown.exe". Load.dll I assume contains API's for mirc.exe. Shutdown.exe is an auto-extractor which inside contains a shortcut to "%windir%\system32\shutdown.exe -s -t 00 -f" This simply shuts down the users computer instantly (-t 00) and forces the shutdown (-f). As of know, I have no idea whatsoever what mirc.exe does (usefull huh?), I assume this carries the payload and is what changes the registry entries noted in the trendmicro virus information. It is NOT a modified mirc client as I have ran it myself and nothing seems to run and I have monitored any open ports for a silent mirc client. fix.bat simply deletes the aforementioned files including itself and only contains "del c:\load.dll del c:\shutdown.exe del c:\mirc.exe copy c:\windows\notepad.exe c:\windows\system32\ del c:\fix.bat"
Why it copies notepad to system32, I have no clue.
ONLY after being infected with this virus, I have recieved the decetion of Ircflood.X by housecall.
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
Hmm. I have notepad in both system32 and winnt directories and I am not infected (win2k). Odd.
|
|
|
|
Joined: Dec 2002
Posts: 2,985
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,985 |
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
Hi there asa A couple of posts ago I did state: - A link to more technical information that Trendmicro had released. - We can do nothing about whether you're infected or not, nor explain why the virus does what it does - That Trendmicro does correctly detect the infection, but does also detect it incorrectly on clean machines. - That Trendmicro's 'virus doctors' are looking into the matter. Excuse any arrogance, but I don't see the need for constant posting of people informing us that their infected or not, and re-answering questions that have already been answered several times! Also, it's best not to post the same post in two threads which relate to the same thing Stay safe Regards,
Mentality/Chris
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
Alright. I just finished pretty much EVERY post here and on that other website thread.
Let start by saying that this is 90% NOT a FALSE POSITIVE. It's a mIRC backdoor/worm that's extremely dificult, if not impossible, to get rid of.
Like everyone else, housecall will find on my computer 'malware.BKDR_IRCFLOOD.X' trojan and simply report its successful identification and removal.
About a week ago I got a PM from a friend on a channel where I idle all the time. It had couple of lines like "sap" and "hi" then followed by a link to a flash animation poking fun at microsoft windows. Other people reported a link to a .jpg file or even a .txt file. I did a Norton AV scan immediately after since my buddy told me that it wasn't him pm-ing me, but he's infected with a trojan. Norton didn't find anything, and it's been almost a week since then my mirc was working just fine.
Yesterday I joined my usual list of channels and within 2 minutes started receiving conspicious messages from people all over whom I don't know. Their replies were consistent with what the worm pm's other users, especially when some of them commented on the flash animation 'microsoft OS sux' and so on. Of course, I would get kicked/banned from channels and servers.
I knew immediately my computer was infected for sure. I scanned many times with housecall and other utilities. Only housecall finds it, supposedly 'removes' it, but it's back there next time I start mirc.
My conclusion is that trendmicro/housecall is not mistaken, but it simply doesn't know (yet) how to propperly remove this serious threat. And all of you who think you are safe just because your mirc seems to be working fine think twice. I would say that the clever design of the worm allows it to 'sleep' for a few days and then start causing troubles.
I'm not going to take chances with this worm, since as reported by trendmicro, it not only affects mirc behaviour, but it can also record my activity online, steal passwords and use my computer for DDOS attacks.
For now I'm booting into my linux install until I get time to do this and also install a hardware router/firewall.
I'll try one other thing mentioned on boards and let you know final result, although I'll still format, it's just too risky.
Good Luck.
|
|
|
|
Joined: Nov 2003
Posts: 2,327
Hoopy frood
|
Hoopy frood
Joined: Nov 2003
Posts: 2,327 |
Trendmicro finds nothing on my computer, which is why i guessed it might not be a false positive. why would it report detection on some computers if it's a false positive, i would say that it would detect it on all if it was.
New username: hixxy
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
Whenever I connect to MIRC, I find this virus as well when I run the online scanner. However, I also get about 50 connection attempts from 69.50.181.165 hitting different ports, wanna.see.a.massdeop.us, MAIL.ATRIVO.COM . If you open tha secondt website address, there's a bunch of pictures and a video of some sort of party... I don't know if the two are related, however for me they did appear around the same time.
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
i am also having this problem, been looking for a couple days now and there are still no answers but i have sound some links on the mirc website that could help. https://forums.mirc.com/showflat.php?Cat=...amp;amp;fpart=1this page has several links that seem like they could be pretty helpful. i would try them but im on a public computer right now, so someone tell me if anything worked or not...
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
IS TRENDMICRO EVEN TRYING TO FIGURE THIS OUT?!
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
Please read this post, it says just about everything that can be said at least from what I have seen. There is however, no point in using caps (which is considered "shouting" on the Internet in general, including the IRC community) - Shouting at us is rude and uncalled for, no matter how frustrating something is - Especially when the answer lies in this very thread. It was reported that Trendmicro's 'virus doctors' are looking into the matter - they may or may not have found an answer yet, these things can take time. There is little *WE* can do about the issue. Happy chattin'. Regards,
Mentality/Chris
|
|
|
|
Joined: Apr 2003
Posts: 210
Fjord artisan
|
Fjord artisan
Joined: Apr 2003
Posts: 210 |
Like other people i get this error. For instance, When mirc is not open it will detect and clean the virus (whilst "scanning system files"). Then with any further virus scans the virus will not be found. However if I open mIRC and then close it again, And then re-scan it finds the same virus, Very odd, I can't think what mIRC could be adding to my "system files" even if it is a false pos. ?
After the virus is cleaned it isn't detect again until mIRC has been re-opened. So if mIRC is still open after a clean, the virus is not detected by further scans. So It seems mIRC creates some kind of file when it opens which housecall doesn't like.
I also tried this on a copy of 6.03 which i have stored in a different folder (which excludes the possibility of that 1 copy of mIRC being genuinly infected on my system?), Same results.
Note: When I say virus scan I am ofcourse talking about TM's Housecall.
Last edited by saxon; 18/04/04 05:59 PM.
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
I too am one of those people unable to find IEEXEC.EXE and everything else Trend Micro lists to remove from the registry, etc., etc., but enough about that.
Maybe this was a coincidence (I'm not sure if wabbyyy was referring to the same thing) but prior to the first scan I ran, I had rebooted after installing the monthly Windows updates and my computer was painfully slow - it took about 30 minutes to get to my desktop. In task manager, my cpu load was at 98-100% before I had even run any programs. 24 hours later or so, it started running normally just like that. Anyone else have this problem? I found one other incident like this on Google but I'm not sure if it's related to BKDR_IRCFLOOD.X or just a mere coincidence.
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
I have the same problem like others that run mIRC. The "malware.BKDR_IRCFLOOD.X" is detected only with Trendmicro's software. Neither Norton, McAfee nor BitDefender found any traces of it. My mIRC client is currently version 6.14.
I have a question in regards to the "IEExec.exe" file. Is this file associated with Microsoft's .NET Framework?. These entries below are found along with the path pointing to the ieexec.exe file. These entries were found on two machines I have mIRC installed on. Seems like it does not like to be deleted. The file is copied back over as soon as it is deleted. Is it a windows protected system file? I assume booting into the recovery console to delete the file would work? Can someone confirm that "IEExec.exe" is a legitimate Microsoft .NET Framework file or not.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExec.exe C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ieexec.exe.config.orig C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
Well, I read through all the posts in this topic, and I decided to check something. Now, I'd first noticed this on my own computer sometime after I came back from spring break last month, and only Housecall was detecting (neither NAV nor BitDefender registered anything). Very confusing, since I tend to be fairly paranoid about what I do with my computer, and I'd never had it before. Thing was, I couldn't remember whether this was pre- or post-upgrade to 6.14. So, I just tested this on my office computer, which I know was clean before I tried. I had mIRC v6.12 on my office computer, checked it with Housecall, nothing. I then upgraded it to v6.14, checked it with Housecall again, I got a hit. To me, this suggests that there's some change in these two versions that is being mistakenly identified as malware by Housecall. Anyone else clean with 6.12 want to try this to see if this also occurs? I can't imagine that there would have been a drastic code change that would have created this, but I'm not that savvy when it comes to code.
Last edited by Aurion; 19/04/04 06:39 PM.
|
|
|
|
Joined: Oct 2003
Posts: 51
Babel fish
|
Babel fish
Joined: Oct 2003
Posts: 51 |
Please don't delete any files or registry entries.
This is simply a bug in housecall.
If none of the other antivirus programs detects it, then you are not infected.
Housecall pops up the same message to me. But it does that way before it started scanning. And at the and of the scan it doesn't detect any infected files. Normally, it displays a list of infected files and suggestion on how to deal with them.
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
norton found nothing and housecall did and for me its not just a bug. I got a pm from a mate who had the ircflood and I clicked. The same week I to started to pm people on my irc channels. I searched al the google pages on malware.Bkdr_Ircflood.X and Did not found the solution that fixt the problem. I to have the IEExec.exe the config and the dll file thay always come back. I hope virus directors are working on the ircflood and find a solution, now I cant use irc no more.
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
...now I cant use irc no more. Why not use another IRC client in the mean time?
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
hi guys, i´m new to this forum, i came here with the hope to find any solution for the BKDR_IRCFLOOD.X i caught up myself. Now i see u guys have either no solution. to me it happens the same way like to many of other guys in here as well. housecall found the trojan, i dont have IEEXEC.EXE nor any registry entries of it on my system. so the housecall "get rid" suggestions wont work for me. thats why i did some investigations on it let me explain what i discovered so far. all started when i got pmed by a mate from a chan with a link inside what i clicked... dumbass me a couple of days later i wondered why i got scanned many times a day for Sokets de Trois v1, more then 20 times a day. my Norton Personal Firewall blocked them away, hopefully... by chance i found that housecall virus scan thingy and for pure curiosity i ran that scan and... BINGO, infected. as i said above housecalls suggestions dont work for me so i started to investigate. i read several boards and such and found on that way this one here. at first i noticed the Notepad.exe in my system32 folder which i dumped. after that i ran a registry cleaner which found 46!!! links related to notepad.exe in the system32 folder. i removed all of them and the system runs still solid. now i havent been scanned for Sokets de Trois v1 anymore. then i got HijackThis for informations on what is going on on my system. it detects anything what has been executed on the system. there were no suspects. probably u guys may be helped by it. then i got Process Explorer which gives u infos on what is loaded. unfortunatly it wasnt any help for me but probably for u guys. because i´m either not that trojan hunter crack, this is my first one, i thought why not to compare the HijackThis scans and probably we together are able to find that shitty thing. this is my scan after starting mirc without doing the housecall clean up Logfile of HijackThis v1.97.7 Scan saved at 19:26:41, on 20.04.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Norton Personal Firewall\NISUM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe C:\Programme\Trend Micro\Internet Security\tmproxy.exe C:\Programme\Norton Personal Firewall\NISSERV.EXE C:\Programme\DU Meter\DUMeter.exe C:\Programme\D-Tools\daemon.exe C:\Programme\Norton Personal Firewall\IAMAPP.EXE C:\Programme\Trend Micro\Internet Security\pccguide.exe C:\Programme\Trend Micro\Internet Security\PCClient.exe C:\Programme\Trend Micro\Internet Security\TMOAgent.exe C:\Programme\Norton Personal Firewall\SymProxySvc.exe C:\WINDOWS\System32\ctfmon.exe C:\Programme\WebWasher\wwasher.exe C:\Programme\TuneUp Utilities\MemOptimizer.exe C:\Programme\STK007\STK007M.exe C:\Programme\ISDN Monitor\ISDNMO32.EXE C:\Programme\Topdesk\TDeskDEU.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Winamp\winamp.exe C:\WINDOWS\system32\ntvdm.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\mIRC\mirc.exe C:\Programme\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freenet.de/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconfO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iamapp] C:\Programme\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [WebWasher] C:\Programme\WebWasher\wwasher.exe O4 - HKCU\..\Run: [TuneUp MemOptimizer] C:\Programme\TuneUp Utilities\MemOptimizer.exe autostart O4 - Startup: ISDN Monitor 32.lnk = C:\Programme\ISDN Monitor\ISDNMO32.EXE O4 - Startup: TDeskDEU.lnk = C:\Programme\Topdesk\TDeskDEU.exe O4 - Startup: Windows-Explorer.lnk = C:\WINDOWS\explorer.exe O4 - Global Startup: STK007 PNP Monitor.lnk = ? O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_addO9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Real.com (HKLM) O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cabO16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cabO16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.6180902778O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cabO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/de/techsupp/activedata/ActiveData.cabO16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocxO16 - DPF: {F49DA492-7B88-463F-B389-CA9A02F6DA76} - http://www.seagate.com/support/disc/asp/tools/de/bin/npseatools.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{1EB636CB-9E81-4A9E-8E36-3769378FD4E5}: NameServer = 213.148.129.10 213.148.130.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{261BF471-5B25-4DE2-90B9-562280EE3F6B}: NameServer = 192.168.120.252,192.168.120.253 O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DB604B-581A-43A1-B664-34252880D5D4}: NameServer = 192.168.1.1 Togi
Last edited by Togi24; 20/04/04 05:50 PM.
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
Ok, I dont know how much of this will apply, but according to microsoft, THIS LINK says Win2k does this on install (2 copies of notepad.exe). Im not saying anybody is or is not affected by the all the viruses, just shedding more light on to the situation is all. FYI, just replied to the LAST post so this is a general FYI
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
this is not just a bug in housecall, i am a paying customer of pccillin internet security as well as mcafee and pccillin continues to find this problem. it also continues to "clean" it and it is becoming very aggravating
i have emailed trendmicro about this and hopefully they will get back to me soon
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
I should imagine the general scanning process in Housecall and PCCillin are the same as they are both produced by Trendmicro.
Trendmicro have already been contacted, and as has been said before, they have said their 'virus doctors' are looking into it - if they haven't cured it by now, they probably won't do, but these things do take time.
-Generally speaking-
Sorry, but I have to wonder why people keep posting - everything that can be said has been said, and if people would just take a little time to browse this entire thread, every question possible related to this topic is answered. Grateful as I/we are for contributing technical details of the scan, to be blunt, it is of little use to us. Send it off to Trendmicro and let them analyse it. We cannot speak on behalf of Trendmicro. They must be contacted themselves, and we cannot come up with a cure for it!
Regards,
Mentality/Chris
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
i ran the trendmicro scanner and it said it found and cleaned it. It didn't do anything else. however whenever i try to open mirc i fail and when i run trendmicro again it finds the same virus.
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread.
If your question was about why you "try to open mirc i fail", we need a bit more info. Do you mean you cant bring mIRC up when you click on the shortcut, or cant connect to a server or what? If you can tell us exactly what happens and any error msgs, we might be able to help.
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
Ok here's what i get. I open up mirc. I don't connect to any servers. I run trendmicro and i get a msg saying it found and cleaned malware.bkdr_ircflood.x. Now i close mirc and i run trendmicro again and it doesn't find anything. Then i open mirc again and i don't connect to any servers. I run trendmicro and i get the msg that it found and cleaned malware.bkdr_ircflood.x. So everytime i open up mirc the virus comes back
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
In that case, read what ParaBrat said "Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread." Now, read my post a few of posts up from this one under the General part of it...we really can't say much more. There is not much use telling us Trendmicro has found the virus we can't do anything about it, and we already know there is an issue (as there over 70 replies in this thread). Also, and I don't want to sound arrogant/big-headed, but I did attempt to ask 90% of questions possible by gathering information from the other posts in this thread - see this post earlier on. Since then, I have only seen 2-3 reasonable replies. To be honest, it seems people are posting now just because it's a big thread, for no particular reason, and making no effort to get past the first few posts. Regards,
Mentality/Chris
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
your being unable to connect to a server may not have anything to do with this issue with trend. what msg are you getting when you try to connect? unable to connect? gline/kline? Are you sure that server is linked and working? (check on the networks website for a list of servers to try)
in your main mIRC window, type: (dont forget the /) /server b0rk.uk.quakenet.org
if it doesnt connect, then try: /server 213.221.165.248
if you cant connect, tell us the exact msg you see please
ParaBrat @#mIRCAide DALnet
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
i can connect to every server except for gamesurge. I was initally g-lined for having the virus. Since then it's been removed. Now here's what i'm doing. I open mirc. i try to connect to gamesurge and this is what i get:
* Connecting to irc.gamesurge.net (6667) - -irc.gamesurge.net- *** Looking up your hostname - -irc.gamesurge.net- *** Checking Ident - -irc.gamesurge.net- *** Couldn't look up your hostname - -irc.gamesurge.net- *** No ident response - Ping? Pong! - bots/clones #rofl.gov. - Closing Link: rtuyu by Geneva.CH.EU.GameSurge.net (G-lined) - * Disconnected
I've checked the gamesurge website and I currently have no g-line. I've also tried all of there servers and i get the same msg. I've posted on gamesurge's message boards and the admins say they removed my gline. But yet it still says i'm glined.
Any ideas?
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
That's down to GameSurge's administration I'm afraid - they must have missed the g-line, or they have checked an incorrect IP address. If you browse the web through a proxy that would produce an incorrect IP/hostname. There's nothing we can do I'm afraid, you'll have to walk through the process with them. The reason you get it on all servers is because a g-line is a global ban - set on all servers. Best of luck Regards,
Mentality/Chris
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
"By opening that link (clanbase hacked, blablabla..), your browser gets redirected to sh0ut3tb34ts,tk. This URL points your browser to a page containing some malicious code. Using the security holes of some browsers, the worm will then download another file. After being executed automatically, this file will install a hidden mIRC-client on your PC. This client automatically connects to a certain IRC server and joins a certain channel. By typing some commands in this channel, that guy could get full control over your PC. For example, he could see any file on your computer. The script even contains a special command which reads your CD-Keys for Half-Life, Battlefield 1942 + Vietnam, UT 2004 and Quake 3 from your registry and sends them directly to him." Thats what i'v heard about this virus, anyone knows if its true? I have also been infected and cant remove it. Everytime i start nnscript (mIRC) it somehow comes back. Tried to delete the extra notepad.exe and all that.. makes no diffrence though.
|
|
|
|
Joined: Apr 2004
Posts: 871
Hoopy frood
|
Hoopy frood
Joined: Apr 2004
Posts: 871 |
The shoutedbeats-tk trojan is only one of the many versions of mIRC-based trojans going around at the moment. If you've been infected with that specific trojan, you could try this remover program (warning: use at your own risk!). However, please note that if you have been infected, the attacker has had full control over your system, so this remover tool is only the first step - you should definitely use recently updated anti-virus software as well (and that's always a good idea anyway, you might already have other infections on your system).
Saturn, QuakeNet staff
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
I tried that Q-fix, it said im all clear.. still housecall finds that virus everytime i restart mIRC, Panda and Norton Antivirus 2004 cant find anything though.. dont know which one of them to trust
|
|
|
|
Joined: Apr 2004
Posts: 871
Hoopy frood
|
Hoopy frood
Joined: Apr 2004
Posts: 871 |
Please make sure you have read the previous posts in this thread...
Saturn, QuakeNet staff
|
|
|
|
Joined: Apr 2004
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 3 |
i have.. not helping me much since noone really knows how to remove the virus, atleast not yet.. i'll just have to wait i guess.. or maybe its time for a format c:
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
has anyone else tried formatting or going back to system restore before the virus? I know a few ppl have and said that it didn't work
|
|
|
|
Joined: Apr 2003
Posts: 210
Fjord artisan
|
Fjord artisan
Joined: Apr 2003
Posts: 210 |
No it doesnt work... You'll notice that Housecall cleans the virus, Until you open mIRC again and it's reinstated.
Housecall detects it whilst scanning system files, Whatever mIRC is adding there I don't know, As Housecall doesn't inform you what or where the infected object is.
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
not helping me much since noone really knows how to remove the virus, atleast not yet..
As I have said in previous posts as have others, this is an mIRC help board - we're not virus experts (specifically) and the people to handle it must be the people who are qualified to. We're simply volunteer helpers who know little more than you do - everything "we" do know is explained in this thread. Information and manual removal information is posted around the Internet, look through this thread and you'll find a link that explains Trendmicro's method of removal - if you've followed those steps and don't find what it suggests or do actually follow the instructions and remove said files, then the chances are you're not infected anymore. If your issue is not with malware.Bkdr_Ircflood.X then it does not relate to this thread. You will need to use 2-3 virus scanners, as you have done, and if one is finding an infection and 2 are not, use another 2 virus scanners. If neither of them find it either, the chances are you are not infected. Fact is, we have no/little chance of being able to directly help you, we don't know your computer setup, or know about every single virus (there are hundreds/thousands). All we can do is to provide you with a link that explains the infection and how to remove it. You can find that yourself though using Google. This thread isn't here to help with viruses in general, it was started to report a possible false positive in Trendmicro. Trendmicro have said their virus doctors are looking into it, we cannot say anymore because we don't actually know anymore! Good luck Regards,
Mentality/Chris
|
|
|
|
Joined: Apr 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Apr 2004
Posts: 1 |
I have the BKDR_IRCFLOOD.X malware on my computer too and am unable to connect to Dalnet .. I get akilled with the following message: [1:38am] * Connecting to powertech.no.eu.dal.net (7000) - [1:38am] Local host: homebase (198.77.157.106) - [1:38am] ••• You are banned from connecting to this server ("You have been autokilled.") - [1:38am] -powertech.no.eu.dal.net- *** You are not welcome on this network. - [1:38am] -powertech.no.eu.dal.net- *** autokilled for [AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49) - [1:38am] -powertech.no.eu.dal.net- *** Your IP is 62.243.15.65 - [1:38am] -powertech.no.eu.dal.net- *** For assistance, please email kline@dal.net and include everything shown here. - [1:38am] ••• Error: Closing Link: 0.0.0.0 ([AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49)) - [1:38am] * Disconnected I know that BKDR_IRCFLOOD.X is a dropper program that creates a folder (which I can' find) and creates an autorun registry entry that allows it to execute on every system startup. It probably comes with mIRC 6.14 somehow and I have no idea how to get rid of it except go to housecall which finds that particualr file but not the rest of the files it drops. So every time I reboot, I have the same problem. The files it drops are BKDR_IRCFLOOD.X .. BAT_IRCFLOOD.X and IRC_IRCFLOOD.X It supposedly creates this folder (which I don't have) C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\ When I do a search for BAT_IRCFLOOD.X the search comes up with 2 files .. lpt$vpn.867 and vptnfile.867 both are in C:\WINNT I run Windows 2000 server and have no idea what to do.
|
|
|
|
Joined: Aug 2003
Posts: 1,831
Hoopy frood
|
Hoopy frood
Joined: Aug 2003
Posts: 1,831 |
" C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\" I think should be "C:\%Windows%\Microsoft.NET\Framework\v1.0.3705\" - "Microsoft :NET" is invalid in a path. On a Win 2000 system, that will expand to C:\WinNT\Microsoft.NET\Framework\v1.0.3705\ (Assuming windows is installed on C drive and uses the default 'winnt' directory) lpt$vpn.867: According to http://security.uwo.ca/antivirus/patches.html this is a pattern file for detection|removal of WORM_MSBLAST.A & VARIANTS The url "http://kline.dal.net/exploits/akills.htm#os" Does not mention any particular trojan. There are many many such worms out there. I suggest you download a couple of the trojan removers listed in this post, update them and scan. The shareware versions will mostly give you thirty days of full usage to try them out.
|
|
|
|
Joined: Apr 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: Apr 2004
Posts: 4 |
i may have found a solution for some of us: my circumstances were the so called "sleeper" trojan and i emailed trend micro about it and this is what i was told to do and i have not had any problems since: 1. Create a temporary folder in a location that you're familiar with (ie: Desktop, C:\, My Documents etc.). To create a folder, right click on your target location and select New > Folder. Rename the folder as 'system cleaner'. 2. Download sysclean.com here: http://www.trendmicro.com/ftp/products/tsc/sysclean.com** Make sure to save sysclean.com to the 'system cleaner' folder created earlier, otherwise the scanning will not work. 3.You'll also need to download the latest pattern file. Sysclean.com will use the algorithms in this file to detect and clean viruses. Please download the latest virus pattern here: http://www.trendmicro.com/download/pattern.asp** Once again, make sure to save the LPTxxx.zip file to the 'system cleaner' folder created earlier. 4. Once the virus pattern file download has been completed, you'll need to extract its contents to the 'system cleaner' folder. You'll need WINZIP to extract the contents of the file. Please visit our knowledgebase for the instructions. 5. Check the 'system cleaner' folder for the following files: sysclean.com & lpt$vpn.xxx. Once the files are present, please restart your computer and access Windows SAFE MODE. 1. Restart your computer 2. After the memory test and BEFORE the Windows' loading screen appears press F8 repeatedly 3. If successfully performed, a menu will be displayed. Choose 'Start Windows in Safe Mode' or 'Safe Mode' 6. Once in Safe Mode, simply double left click on the sysclean.com. It should start the scanning process and wipe out/clean viruses detected. worked for me... if it doesn't work for anyone else than idk. just try it
|
|
|
|
Joined: Dec 2002
Posts: 23
Ameglian cow
|
Ameglian cow
Joined: Dec 2002
Posts: 23 |
OK here is my problem with the whole situation, its been about 27 days since ytytyt first received an email respose from Trend. To not have any real answers on this subject almost a month later really iritates me (with Trend). Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out. Maybe he already has and nothing relevant can be posted publicly yet. For it to take this long seems to me that nothing is being done (by Trend) because they probably think its a false positive. Then again I may be quite wrong as I dont know any history with other viruses and how long new and/or possibly troublesome, difficult viruses take to be rssolved and fixes found for. *wonders if ytytyt has yet received any response from Trend...* Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce? Sorry but it really makes me MAD when someone/something prevents me from using mIRC to connect to IRC for almost 30 days! (I have since formatted and am back on mIRC)
R¹¶¬³¥
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
"Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out."Whilst Khaled is a famous guy on IRC, in the grand scheme of things he's not an A-List superstar. Him emailing Trendmicro may hold a little more salt with them as they've no doubt heard of mIRC due to it's use in infecting other people, but they probably won't feel hastened to answer him anymore than you or me emailing them. Plus, me, you, or anyone here doesn't know whether Khaled actually has contacted them about the issue or not. Who knows what Trendmicro are doing.. By the way, Khaled's life is made a little more hectic due to what I can only assume is the thousands of emails he receives per day, and that's with all the junk mail excluded - and real life too, plus Arnie takes a lot of his time up "Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?"This page has some good ideas on what to do and as you may have heard already (as it has been mentioned several times in this thread) - this post has many resources to get yourself uninfected. Best of luck. Regards,
Mentality/Chris
|
|
|
|
Joined: Aug 2003
Posts: 27
Ameglian cow
|
Ameglian cow
Joined: Aug 2003
Posts: 27 |
I'm really sorry to be another person adding to this thread, but I am really at a loss as to what do do, and I have been experiencing things that, after reading through all 5 pages of posts, no one else seems to have touched upon. - I run AVG antivirus on my computer, which scans daily for me, and is updated weekly. A few days ago I started getting this message in relation to my AVG program: avgcc32.exe - Application Error The Instruction at "0s5f4012a1" referenced memory at "0x00000004". The memory could not be "read". Click on OK to terminate the program So, I would click OK, and my AVG would shut down. When I would restarted AVG I would a) get that same message again, and it would immediately shut down - THEN b) I would manually launch AVG, get that same message again, and it did not shut down AVG, but when AVG launched, it showed the "Control Center" as not beng active and functional. Attempting to activate it sometimes worked, and sometimes caused AVG to shut down again. - In an attempt to find out what was wrong, i tried to go to AVG's website at www.grisoft.com but always got the "this page could not be found" message. - I tried other common/major antivirus websites, but was unable to access those as well, although all other websites loaded fine. - I thought my problem was with AVG, so I uninstalled it, had a friend download the install file for me (as I was unable to access the website) and send me the install file. After reinstalling AVG, I was still getting the same error message. - I then called a tech friend of mine, who suggested this: a) deactivate system restore b) Use Trend Mirco's online scanner to check for viruses. I discovered I was unable to access Trend Micro's Homepage, but was able to access House Scanner page. - I ran a scan using TM's House scan, and as it was doing the initial system scan, got the following message: Houseware has found and cleaned a malware.BKDR_IRCFLOOD.x So, I clicked okay, and it then scanned my computer and found the following file: Virus: DOS AGOBOT.HM Scan result: Non Cleanable File: c:\windows\system32\drivers\etc\hosts Since it was not cleanable, I deleted the file. - I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected. - After doing this, I found I was then able to access antivirus websites once again, Including te ones at Trend Micro and Grisoft that I had previously not been able to access. - I thought I had solved my problem, so I reacvtivated system retore, and rebooted my computer. - after my computer rebooted AVG tried to launch, and I got the same error message again. Was able to open it manually and then manually active the "Control Center" - I then launched all the programs I typically run on my computer, including two instances of mIRC (one for me, one for my bot), and several instant messaging programs. - I found I was once again NOT able to access anti virus website. I was not able to access Grisoft nor Trend Micro's homepage. - I once again found my way to Trend Micro's house scanner, and used it to can my computer. I found: a) on the initial system scan "malware.BKDR_IRCFLOOD.x" was there once again b) it once again found "DOS AGOBOT.HM" in the same location as before. - I then found my way here and read through all 5 pages of posts, and found that no one else seemed to have experienced the same things as I have. I'm not a very technical person, and I don't understand things about "registry's" or "keys" and i can't really understand all the things you all have said to look for and try. Has anyone else found these same problems? Does anyone have any suggestion that can be made simple for someone who is a technical dummy? Thank you, and I appoligize once again for adding to this already long thread. shy
~~~
I'm a Scripting Newbie, please forgive my questions, and have patience with me. Thanks!
|
|
|
|
Joined: Nov 2003
Posts: 2,327
Hoopy frood
|
Hoopy frood
Joined: Nov 2003
Posts: 2,327 |
At least I can help at least one person in this thread the virus found in: c:\windows\system32\drivers\etc\hosts is most likely the reason why you cannot access those websites, the hosts file can be used to change where urls point to. find: c:\windows\system32\drivers\etc\hosts and edit it to so only the following is in it: 127.0.0.1 localhost the lines that start with an '#' are actually comments, so they are not important, you don't need to delete those lines. Hope this helps a little bit Edit: i'm guessing that AGOBOT (aka GAOBOT) will just change the hosts file back, but it's a temporary solution.
Last edited by tidy_trax; 30/04/04 11:49 PM.
New username: hixxy
|
|
|
|
Joined: Aug 2003
Posts: 1,831
Hoopy frood
|
Hoopy frood
Joined: Aug 2003
Posts: 1,831 |
You should use a dedicated trojan cleaning program such as PestPatrol and/or TrojanRemover (or one of the others listed in this post) to get rid of Agobot.
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
FWIW, kbaumgar post (like 7 or 8 above this one in the thread) worked for me with the virus of the title of the thread. It ALSO worked for a friend of mine with other viruses she had so maybe give that a try (for those who have NOT yet done so AND are experiencing problems or getting trojan message alerts).
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Aug 2003
Posts: 1,831
Hoopy frood
|
Hoopy frood
Joined: Aug 2003
Posts: 1,831 |
Yeah, sysclean most likely does work just fine with some, or even most. This... " So, I clicked okay, and it then scanned my computer and found the following file:- Virus: DOS AGOBOT.HM
Scan result: Non Cleanable File: c:\windows\system32\drivers\etc\hosts Since it was not cleanable, I deleted the file. - I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected." ... seems to indicate that Trend only found one file (hosts) in connection to that worm, in which case it couldn't possibly clean it as a modified hosts file is but one symptom of the worm (and of many others). So I recommend a trojan scanner|remover, something I think everyone should have in their arsenal - along with at least one good AV program.
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
1) I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected. 2) After doing this, I found I was then able to access antivirus websites once again, Including te ones at Trend Micro and Grisoft that I had previously not been able to access. 3) I thought I had solved my problem, so I reacvtivated system retore, and rebooted my computer. 4) after my computer rebooted AVG tried to launch, and I got the same error message again.
I would hope you would NOT repeat step #4 again because it SOUNDS like the virus is on that previous version of your OS and brought the virus back with it. I can only hope that some of the info posted here can at least lead you in the right direction. We're posting tons of updated info (as you can tell) when we find something new to add so it can help others (even if it turns out to be a "tried that, didnt work").
(general statement): I sure hope we (the IRC community) can now learn to NOT CLICK THINGS WE DONT KNOW ABOUT. A LOT of these TYPES of things can be avoided if we use a bit of discretion when clicking links, going to sites, etc. When in doubt, DONT CLICK A LINK IN MIRC. What's the harm from that, curiosity's gonna kill you? ;-)
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Aug 2003
Posts: 1,831
Hoopy frood
|
Hoopy frood
Joined: Aug 2003
Posts: 1,831 |
Turning System Restore off wipes all previous restore points.
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
I didnt know that (as I dont use an OS with Restore like XP has). A notable tidbit to say the least Thanks for the info
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Aug 2003
Posts: 1,831
Hoopy frood
|
Hoopy frood
Joined: Aug 2003
Posts: 1,831 |
No probs. Sytem Restore is a pretty nice feature (XP and ME both have it), but if a virus gets backed up through it, the only way to clean it is to disable then reenable it.
|
|
|
|
Joined: Nov 2003
Posts: 2,327
Hoopy frood
|
Hoopy frood
Joined: Nov 2003
Posts: 2,327 |
Problem with using a dedicated trojan remover is that it's already blocking some of the sites that (s)he could download one from.
New username: hixxy
|
|
|
|
Joined: Aug 2003
Posts: 1,831
Hoopy frood
|
Hoopy frood
Joined: Aug 2003
Posts: 1,831 |
Perhaps, but then you dl one from MajorGeeks or PCWorld or some such mirror.
|
|
|
|
Joined: May 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: May 2004
Posts: 1 |
hm well i read now trough all this comments and i have done all fixes,searched the registry entries and run 5 AV/trojan programs (Kaspersky,TheCleaner,AVG,Stinger,Panda) but no AV program found this trojan. then i started trendmicro online scan and it found the malware.Bkdr_Ircflood.X thingy . But always when i open my mirc the virus is there again i dont need to connect to a server or smt just load it and the virus is active . there is no new process running then like they said on the trendmicro hp so there are no registry entries aswell . dont know what to do now hope trendmicro comes up with a solution/patch or whatever
|
|
|
|
Joined: May 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: May 2004
Posts: 1 |
Trend Micro Has fixed this issue. No need to worry anymore.
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
What can I ask is you proof of this? Do they state somewhere that the issue's been resolved? Did they send you an email? Did you hear it from a friend of a friend of a friend? Did their virus scanner clean a virus for you? Im not doubting you, I just would like to know where the proof of this is before I blindly believe it, that's all. No offense intended
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Dec 2002
Posts: 3,127
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 3,127 |
My thoughts exactly landon. Altho, when i checked, i did see that trend updated their patterns on may 3rd, and when i scanned there's no more of that ircflood found msg when none of the files/registry entries exist on my puter. Looks like they decided to fix it without fanfare i guess. I'd suggest anyone who has had the same issue (ie getting that msg but not finding any of the files or registry entries) try now and see what happens.
ParaBrat @#mIRCAide DALnet
|
|
|
|
|