mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 6 1 2 3 4 5 6
#76390 24/03/04 06:23 PM
Joined: Mar 2004
Posts: 7
J
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
J
Joined: Mar 2004
Posts: 7
I recently scanned my system with TrendMicro's HouseCall, and it found malware.Bkdr_Ircflood.X running in memory (and cleaned it). It never found any files that were infected with the virus, just said it was running in memory. I decided to format (it was time to format anyway), and after installing Windows XP and mirc 6.14 (did the same with 6.12), HouseCall found it again.

I was wondering if this was a HouseCall bug or if anyone else had this problem?

#76391 24/03/04 06:25 PM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
Sounds like it could be a false positive where the scanner thinks it found something from code (in a file) that mimics a virus. Did it find it in a mirc file or a mirc script (or neither)?

EDIT - if you check the TROJAN INFO link, you can see a few other places to try and scan with for more of a well rounded idea/opinion


Those who fail history are doomed to repeat it
#76392 24/03/04 06:42 PM
Joined: Mar 2004
Posts: 7
J
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
J
Joined: Mar 2004
Posts: 7
Thanks for the reply! It didn't find either mIRC itself or an mIRC script (didn't have one installed at time of scan). When it was scanning memory and system files, it would find malware.bkdr_ircflood.x if mIRC was running. If mIRC wasn't running at the time, it wouldn't find it.

I'm also scanning using tools from the thread you link right now. Of the few that have completed, only HouseCall house found this virus. I'm beginning to think that it is indeed a false positive detected by HouseCall.

#76393 24/03/04 06:42 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Indeed, to follow on from above, it's always good practice to use more than one antivirus and/or trojan scanner. 'False positives' are common, and you can never be too safe.
The opposite can be true aswell whereby an antivirus will not detect a virus but another one will. If the AVs you have, have an "Auto Protect" feature then you should have it enabled too.

Stay safe smile

Regards,


Mentality/Chris
#76394 25/03/04 01:59 AM
Joined: Mar 2004
Posts: 1
C
Mostly harmless
Offline
Mostly harmless
C
Joined: Mar 2004
Posts: 1
Hello,

I'm having the exact same problem with the TrendMicro's HouseCall scanner. Everytime I open mIRC I get the BKDR_IRCFLOOD.X virus as the same problem you have. I did get rid of the ieexec.exe program, checked my registries to see if it's infected, but I found nothing. I too believe that the scanner is Fasle. If you happen to find a scanner that also picks BKDR.IRCFLOOD.X, please reply or e-mail me @ jamesbond236@hotmail.com with a apporiate title regarding the virus BKDR_IRCFLOOD.X which appears on the TrendMicro's HouseCall scanner.

Thanks,
- Jay

#76395 25/03/04 07:01 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
It's still a good virus scanner and is widely used even if it does turn up some wrong results - obviously it's just sensitive. If you simply scan with 2-3 of the virus scanners that appear in the Trojan resources thread you should know if you're clean or not.

Just an FYI, I wouldn't suggest posting your email on the public Forum, spam bots crawl the web and pick up those emails subsequently spamming them.

Stay safe smile

Regards,


Mentality/Chris
#76396 26/03/04 10:59 AM
Joined: Mar 2004
Posts: 1
R
rew Offline
Mostly harmless
Offline
Mostly harmless
R
Joined: Mar 2004
Posts: 1
I've come up with the same. Digging through some logs and stuff, here is what is setting it off:

Debug Information Level=0
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\DefaultIcon]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\command]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Application]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\ifexec]
BackupRegKey[HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec\Topic]
BackupRegKey[HKEY_CLASSES_ROOT\.cha]
BackupRegKey[HKEY_CLASSES_ROOT\.chat]

and

Damage Cleanup Engine (DCE) 3.5(Build 1119)
Windows XP(Build 2600: Service Pack 1)

Start time : Fri Mar 26 02:49:08 2004


Load Damage Cleanup Template (DCT) "H:\WINDOWS\tsc.ptn" (version 298) [success]
BKDR_IRCFLOOD.X[virus found]
-->delete registry data("HKEY_CLASSES_ROOT","ChatFile\DefaultIcon",""E:\mIRC\mirc.exe"") success
-->delete registry key("HKEY_CLASSES_ROOT","ChatFile","") success
-->delete registry key("HKEY_CLASSES_ROOT",".cha","") success
-->delete registry key("HKEY_CLASSES_ROOT",".chat","") success

Complete time : Fri Mar 26 02:49:14 2004

Execute pattern count(718), Virus found count(1), Virus clean count(1), Clean failed count(0)

#76397 29/03/04 04:33 AM
Joined: Mar 2004
Posts: 2
J
Bowl of petunias
Offline
Bowl of petunias
J
Joined: Mar 2004
Posts: 2
Yes, I also have received the BKDR_IRCFLOOD.x, and only Trend Micro seems to be finding this file, and each time it's Housecall removes it, and I reboot my computerand this file shows up again!

I have used NAV 2004 Pro, KAV, McAfee, AVG, Pest Patrol, Spybot Seach & Destroy, and Trojan Hunter, the GFI Online Trojan Scanner, and none of these showed BKDR_IRCFLOOD.x!

Is BKDR_IRCFLOOD.x actually a file, much less a form of malware? I have spent the better part of the past 5 hours scouring my two computers and notebook here at home.

Jammy




Skepticism Is A Virtue
#76398 29/03/04 04:38 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
I couldnt tell you as ths is not my area of expertise (aka how trojans work and what their filenames are called etc)


Those who fail history are doomed to repeat it
#76399 29/03/04 06:06 AM
Joined: Jun 2003
Posts: 994
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Jun 2003
Posts: 994


I refuse to engage in a battle of wits with an unarmed person. wink
#76400 29/03/04 06:46 AM
Joined: Sep 2003
Posts: 38
S
Ameglian cow
Offline
Ameglian cow
S
Joined: Sep 2003
Posts: 38
@rew:
Debug Information Level=0 etc.
So it's harmless?

Like almost everyone else I too have that backdoor on my system. Only trend micro seems to find it, but not on every system. Even at home, where I have 3 different computers, just 1 is "infected".
Though I think nothing is wrong, (using cmd and looking at netstat gives on open connection I didn't open myself), I do found something else. When connecting to irc.quakenet.org and joining #5on5 I got G-Lined. (Probably just an on join G-Line).
Still it's weird that everytime you start mirc again, you have been "infected" again.

#76401 29/03/04 08:29 AM
Joined: Mar 2004
Posts: 2
J
Bowl of petunias
Offline
Bowl of petunias
J
Joined: Mar 2004
Posts: 2

Thanks! But ya know that I have never had any of those entries in my registry!!! I get so tired of manually going to my registry only to not find anything.

Trend Micro may have found something but how come none of the other AV programs can find anything?

Another reason why I agree that this is just a false positve.

Jammy



Skepticism Is A Virtue
#76402 29/03/04 08:16 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
it's not at all uncommon for one AV to find something that another one doesnt. have you contacted trendmicro to ask them to investigate whether its a false positive? don't just assume it is. altho, if it was something within the basic mIRC (as downloaded from mirc.com) triggering it, then seems like everyone with mIRC who uses housecall would get the same results


ParaBrat @#mIRCAide DALnet
#76403 31/03/04 07:48 PM
Joined: Mar 2004
Posts: 1
K
Mostly harmless
Offline
Mostly harmless
K
Joined: Mar 2004
Posts: 1
I too have had this "virus". However, for me it only comes back after I restart mirc. If I start mirc, exit, clean it, restart mirc....its there again. Dont open mirc, it doesnt appear!

I have none of those registry entries mentioned, nor the .exe file. Fortunately, I found this thread before I tried a format. Think I might try emailing Trend Micro about this.

kilo

#76404 31/03/04 09:27 PM
Joined: Mar 2004
Posts: 1
M
Mostly harmless
Offline
Mostly harmless
M
Joined: Mar 2004
Posts: 1
Have'nt you guys experienced any effects from the malware ?

For me the malware deleted all my Internet explorer Favorites ( which was extremely frustrating) and changed my startingpage.

#76405 31/03/04 09:50 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
I think what most of these guys are saying is that Trendmicro is turning up a confirmed infection when actually, they are not infected - meaning they would not suffer.

Perhaps you really were infected and therefore, you did.

Hope you manage to get back on track though :-)

Regards,


Mentality/Chris
#76406 01/04/04 01:32 AM
Joined: Mar 2004
Posts: 1
C
CTR Offline
Mostly harmless
Offline
Mostly harmless
C
Joined: Mar 2004
Posts: 1
I have the same problem..canĀ“t anyone help cleaning this virus?

#76407 01/04/04 05:06 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
CtrlAltDel provided a link to trendmicro that details how to clean that virus if you are in fact infected with it. Unless every file and all registry entries are removed, each time you open mIRC the trojan will restart.

Whether there is something triggering a false positive in puters that arent actually infected, i dont know


ParaBrat @#mIRCAide DALnet
#76408 01/04/04 09:37 AM
Joined: Apr 2004
Posts: 1
W
Mostly harmless
Offline
Mostly harmless
W
Joined: Apr 2004
Posts: 1
i have the same problem,

i find out that this worm is creating 3 files in folder %windows%\temp
files are: mirc.exe , lol.exe and lol.bat

if i open any txt file , my system is shuting down (load at 1st the lol.bat file, and then the mirc.exe and lol.exe)

- trendmicro is the only tool to find this worm (but he didnt say what file is infected, only "systemfiles")

if i reinstall windows , i solved this problem, or i get this worm again if i connect to IRC ?

sorry for my bad english
best regards
Whity

#76409 01/04/04 02:54 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
You have to delete Windows\System32\notepad.exe which is a self extracting file - virus. You can either:

1) replace this file with the standard Windows/notepad.exe

2) delete any reference to 'System32\notepad.exe' in your registry. When you do that, if you try and open a txt file, windows will ask you to select a program to open it with - just choose Windows\notepad.exe

Page 1 of 6 1 2 3 4 5 6

Link Copied to Clipboard