mIRC Home    About    Download    Register    News    Help

Print Thread
Page 3 of 6 1 2 3 4 5 6
#76430 08/04/04 12:30 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Britneyfan: realize that the earlier post was not referring to the valid MS windows application also called notepad.exe, which is in the windows directory. He was referring to one apparently found in windows/system32 (altho i'm not familiar with that issue so i cant comment further) I dont know which it is you found.

there are two issues. some ppl are actually infected by the trojan which drops a modified mIRC (and modifies the mIRC icon) and creates the files/registry entries detailed at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_IRCFLOOD.X&VSect=T You can read there what the trojan does.
Others are told its found, but have none of the mentioned entries/files. Whether its a false positive being triggered by similarities or not, we can only wait for Trendmicro to say so and patch for it. Those ppl are also not having any problems on IRC such as you describe, so yours may be a diff issue

Is the problem only in channels? are you able to msg ppl? have you tried other networks? do you see any error msgs in your status window? What is the "funny entry" that you have in startup?

this may sound silly, but it wouldnt hurt to check your colors to be sure you havent set others text the same color as your background (hold down your alt key and click the k key to see the colors dialog or click on the icon that looks like crayons)






ParaBrat @#mIRCAide DALnet
#76431 08/04/04 12:38 AM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
I appear to have notepad.exe in both c:\WINNT and in c:\WINNT\System32 and both are legitimate Microsoft Notepad executables so it appears that that bares no significance...

Edit:

OS of machine in question: Win2k SP4
OS installed: 4 days ago

#76432 08/04/04 12:50 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
ty for the info Deku, i run 98se and only have it under windows. i'm not sure what the post about it being in system32 is all about, since i'm not familiar with whatever trojan they mean. Mainly i wanted Britneyfan to be aware there is a legitimate MS notepad executable


ParaBrat @#mIRCAide DALnet
#76433 08/04/04 07:57 AM
Joined: Apr 2004
Posts: 2
P
Bowl of petunias
Offline
Bowl of petunias
P
Joined: Apr 2004
Posts: 2
I just wanted to note that no one has responded to my orignial post. I do am detecting Bkdr_Ircflood.X, but there are some additional/ different things I'm experiencing that might be to everyones interest. The virus I mention below is also IRC related, take a look
:

Let me begin by saying I've read every post here and still am not sure what to believe

One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert

the virus is worm_thrax.a

http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X.


I'd really like any information about this.

Thank you for reading.

Last edited by problem; 08/04/04 07:59 AM.
#76434 08/04/04 08:15 AM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
Speaking of notepad.exes. I have an extra one right now, in C:\WINNT\system32\dllcache. Before, I know for sure, I had only 2; one in c/winnt and c/winnt/system32. Anyone else have this?

I use win2k.

I don't have anything mysterious in my run/registry/sys memory. But, my comp's acting funny. For the love of my life I can't figure out how I lost a whole album (12songs frown ). This just paranoia. And my HLIT is all messed up. when I open it, it doesn't show any of my fav but, fav.dat is there w/ everything in it, the menu at the bottom is gone. It was working fine yesterday.

Perhaps formating is long overdue.

*********************

Btw, I heard that

/remote off
/timers off

are good commands to secure mirc.

#76435 08/04/04 08:38 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Of course check to see if any of the files/registry entries listed are on your computer. I'm afraid the only place any of us can get any info on if this one is a false positive is from Trendmicro. Have you contacted them to ask?

Since the trojan you referred to seems to drop modified mirc.ini and script.ini, i'd also take a look at the ones you have. If they look like they should, perhaps something in your legit ini files resemble a known trojan string. (it certainly isnt uncommon to have backdoors and nasties in scripts ppl download) Maybe include yours in a report to Trendmicro to give them something to go on? NOTE: be sure to remove any passwords you may have in your ini files before sending them off!

i'm not aware of anyone recieving emails from Trendmicro other than the one saying their virus doctors were looking into it. All any of us can do is check for what they say are dropped by these trojans and contact them if none of them are found. They need to know lots of ppl are having the problem and it isnt an isolated event. I know i'm not giving you any answers, but i cant, only Trendmicro can explain whats going on. If they are false positives, hopefully Trend will patch for them soon and stop giving us all gray hair.


ParaBrat @#mIRCAide DALnet
#76436 08/04/04 10:15 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
Hi i'm new to this forum so bare with me i just got through reading this thread i was having a prob wih my computer just started 2 days ago something was eating my memory running in the background i also have run every scan and found nothing then i ran trend and it found this malware.BCKDR_IRCFLOOD.X \and cleaned it
the thing that concerns me is i havent used mirc in over 6months so i dont know how i got this

#76437 08/04/04 10:29 PM
Joined: Feb 2003
Posts: 3,432
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Feb 2003
Posts: 3,432
it can come from a www page, a mail sent to you.. so dont have to be from mirc.. can even be included in som programs you have been installing lately..


if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
#76438 08/04/04 10:39 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
thanks sparta now u mention that i was in a site the other nite and a box popped up said it was downloading something grrrrrrrrrrrrrrrrrrrrrrrrr ao if trend said it deleted it does that mean i have got rid of it
confused

#76439 08/04/04 10:47 PM
Joined: Feb 2003
Posts: 3,432
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Feb 2003
Posts: 3,432
i supose so, if you didnt scan your computer online, then do so here ..


if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
#76440 08/04/04 11:50 PM
Joined: Apr 2004
Posts: 3
W
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
i did scan with trnd thats who picked it up in the first place but being a paranoid owner of a sick puter im scanning again thanks again for ur advice

#76441 09/04/04 01:02 AM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
-General Reply-

In an attempt to stop people asking if they're infected or not, please read this before posting anymore! smile - This is just a summary of everything I can think of, gathered from other people's good advice throughout this thread and some areas off this thread.

Question: What's this all about?

People are finding that, when using Trendmicro's Housecall virus scan they are experiencing a virus detection of malware.Bkdr_Ircflood.X. CtrlAltDel posted a link to more technical information about this infection.

ParaBrat has pointed out before, there are two main issues with this situation:

1) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X. If this is the case, clean your system exactly as is told to you by Trendmicro.

2) Trendmicro virus scan is detecting that you are infected with malware.Bkdr_Ircflood.X and you have followed all of the instructions and you can't find any of the problems that it says you should have OR you scanned before, and cleaned everything, and it still detects you as infected.

I suggest you use the resources in this thread and choose an antivirus or trojan scanner other than Trendmicro. I would personally recommend AVG, The Cleaner AND Ad-Aware.
If ALL 3 of these programs say you are not infected with any backdoors (or at least not with malware.Bkdr_Ircflood.X) then I would say you are not infected and Trendmicro is wrongly detecting you as being infected. If they DO detect that you are infected then you may not have followed the instructions properly or Trendmicro may not have detected all strains (versions) of the virus on your computer - so use those programs to remove the program, reboot, and once again scan with those 3 programs to ensure non-infection.

If you are finding that Trendmicro is detecting this virus and NO other virus scanners are, then it is fairly safe to assume you are not infected.
Please remember, we cannot tell you if you're infected or not, you must scan for yourself! We cannot tell if Trendmicro is or is not properly detecting the virus.

Question: How did I get infected?

This obviously only applies if there was actually an infection detected. Sparta made some good suggestions as to how people can get infected:

- You could have got this through an email attachment. It's a good idea never to open email attachments without scanning them with a virus scanner first, even if an email is from one of your friends (I have seen a lot of people say their "friends" have planted trojans on their computers for a bit of fun. It may be fun for them, but if they shut down your computer every 5 minutes, or accidentally delete an important system file because they don't know what they are doing, it might not be so fun for you!)
- You may have visited a website which has exploited you and planted this virus on your computer. It's best not to go to websites when you're not 100% certain of what's on them. You could visit a website and it automatically starts to download something - NO legitimate website on the entire Internet will do this, if you can, stop the download immediately.
- You may have installed a program recently that contains it. For your own security you should not install programs unless you know they are perfectly safe - this may include checking up on their security certificates and the company who has signed the download.

The above 3 ways could have happened even if you have not used IRC for a number of days, weeks, months of even years, and you are just coming back to using IRC. However, there are general computer safety guidelines you should follow, and also very IRC-specific guidelines you should follow to ensure you remain safe from viruses and you keep your private information private. Those may include:

- NEVER accepting files from people on IRC. Only accept files from trusted friends, 'trusted' meaning you've known them for months if not years, not because they've been nice to you for a few hours.

- NEVER typing suspicious things that people tell you to type, especially if they contain //write $decode or any other long form of what appears to be a jumble of letters and numbers.

- ALWAYS having an antivirus installed on your computer. If they have auto-protect features then have it enabled.

- ALWAYS having the latest updates from www.windowsupdate.com.

- ALWAYS having the latest version of your software. mIRC is an important one to have updated to avoid any exploits that may be found. You can always get the most up to date version at www.mirc.com/get.html.

The above should help you protect yourself from further infection. This does not mean it's impossible for you to be infected, so don't disregard any warnings that Antivirus programs give you, but it gives you a good chance at not getting infected smile

Question: So what's being done about this?

Trendmicro emailed ytytyt and told him that their 'virus doctors' are looking into the situation. They also said to add mIRC.exe, for now, into your Exception List so that Trendmicro does not detect a virus in it. See this page for details.
Until there is another reply from Trendmicro nobody can give a definite answer as to whether or not this is a 100% certain "false positive" in Trendmicro. There is also very little we can do, as IRC users, other than wait.

Question: Shall I stop using Trendmicro? Delete it?

No smile - Let's not forget Trendmicro is still a good virus scanner and highly recommended by many websites, virus help channels and many IRC helpers. There does seem to be a slight glitch in how it scans mIRC, but other than that, it's good at picking up viruses and is a good addition to your computer!
That said, do remember as always, no ONE virus scanner can detect, protect and remove every virus threat - new viruses are released into the wild everyday, there are hundreds of different types of viruses, trojans, backdoors etc. You need at least 2-3 virus/trojan scanners on your computer for effective protection.

Conclusion:

1) Scan your computer with Trendmicro.
2) If malware.Bkdr_Ircflood.X is detected, clean it.
3) After a reboot and following instructions carefully, scan again.
4) If Trendmicro continues to detect 'malware.Bkdr_Ircflood.X' use 2-3 other programs to scan your computer
5) If they find nothing, you're probably not infected! laugh
6) If they do find something, clean your machine with those programs, reboot and rescan with those programs.

After that, you should be clean (once and for all!)

I hope this helps those people who browse this thread and prevents them from needing further help until Trendmicro gets back to someone about this issue =) - I by no means want to discourage people from posting if they have an issue, please do if you have more questions, but I think this post and the other posts throughout this thread answer a lot of questions that have been repeated and repeated!

Stay safe!

Regards,


Mentality/Chris
#76442 09/04/04 11:07 PM
Joined: Apr 2004
Posts: 1
J
Mostly harmless
Offline
Mostly harmless
J
Joined: Apr 2004
Posts: 1
i use Norton AntiVirus 2004. after i got that "virus" i noticed my Norton was disabled and the AutoUpdate was turned off. i used TrendMicro's free online scan to see what was the problem. I couldn't run nearly any .exe. I checked the registry to see if there was anything wrong. It looked fine. Then i went to Norton's website, and it found something wrong with the registry (the exact thing i checked. as if it were hidden or something). It cleaned it all up. Then I tried installing mirc again and running it. It came back. I recently did a scan again. Found a WORM in my computer. My antivirus would have caught it, but for some reason it didn't. I think that the IRCFLOOD thing allowed it to come into my system, if not installing it, itself. My system hasn't fully restored itself, yet. Everytime i would close something i use daily, an error would pop up.

And even now, i ran an old version of mirc from a CD, and the virus became active again. Is there a way to fully remove it?

I think that the mirc versions that have it, should be removed from the website. It seems to open up a port, that may be how i got the worm. Also, could you guys put an older version that doesn't have it, on the website please? I think you guys don't support the older versions right? Just put the disclaimer saying that you don't support it, and not to email you. It would be greatly appreciated. I have to run Trillian's IRC now, and i hate it.

Also: ever since that happened, i can't recieve downloads from anyone. I don't understand why, at all. Please, any suggestions and help would be greately appreciated.

#76443 09/04/04 11:23 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
"My antivirus would have caught it, but for some reason it didn't."

Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it to do so - that is why on this board we are constantly suggesting that people use more than one antivirus, to try and scan your computer from more than one angle. No one virus scanner can detect anything.

The mIRC download mirrors on www.mirc.com/get.html are perfectly safe - there are NO worms, backdoors, viruses, trojans or anything else malicious on those download mirrors or in the installer package that comes with it. Refer to the "How did I get infected" question in my last post (did you read that by the way? wink) You will also find a version 5.91 (the last 16-bit version of mIRC) on that download site. You can download old mIRCs from many websites, simply search Google, although I would strongly advise against it.

As I also said in my last post, *WE* cannot tell you if you have a virus or not - we have no access, remote or otherwise, to your computer (nor do we want that) and many of us are not virus professionals or anything. You need to scan your computer with several virus AND trojan scanners, and preferably spyware scanners to try and clean yourself.

If you're having problems with DCC receiving then make sure it's definitely *your* problem, usually it's the senders end. Try receiving files from 4-5 different people. If doesn't work with any of them, try reading http://www.mirc.co.uk/help/getproblems.html or run a search on the forums for "DCC" or "DCC Get" and expand to 'All Forums' and 'All Posts' for best results. This is probably not related to any infections you have, although a possibility.

Regards,


Mentality/Chris
#76444 10/04/04 12:26 AM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
Quote:
Many viruses nowadays actually manage to disable or evade certain antiviruses because people who release the virus code it do to so


Sadly, most of the time this could be avoided if those who are using NT-based versions of Windows didn't infact operate their computers as a user with full Administrator privilages.

If you operate your computer as a restricted user, download an infected file, and then execute the virus, it will be run with your permissions. So it will NOT be able to deactivate your AV software, it will NOT be able to write to the filesystem (except perhaps the C: root and any directories you have write access) and it will NOT be able to deliver a destructive payload. The only viruses that COULD would be the ones that are gained thru a system insecurity, a la MSBlast.

People need to sandbox themselves before any AV software and firewalls can be optimally effective.

#76445 11/04/04 11:28 AM
Joined: Apr 2004
Posts: 2
A
asa Offline
Bowl of petunias
Offline
Bowl of petunias
A
Joined: Apr 2004
Posts: 2
Hi everyone, I for one am POSITIVE that I am infact infected with this virus. I opened a malicious link (the link was to something.txt but the .txt was just the name of the directory the exploit was in) that an infected user had sent me. After being infected and many obsenties later, I discovered how it had gotten to my computer without me accepting any files.

The link uses a VBScript exploit in IE which drops a .exe which has several files packed in it. The files inside are "Load.dll", "fix.bat", "mirc.exe", and "shutdown.exe". Load.dll I assume contains API's for mirc.exe. Shutdown.exe is an auto-extractor which inside contains a shortcut to "%windir%\system32\shutdown.exe -s -t 00 -f" This simply shuts down the users computer instantly (-t 00) and forces the shutdown (-f). As of know, I have no idea whatsoever what mirc.exe does (usefull huh?), I assume this carries the payload and is what changes the registry entries noted in the trendmicro virus information. It is NOT a modified mirc client as I have ran it myself and nothing seems to run and I have monitored any open ports for a silent mirc client. fix.bat simply deletes the aforementioned files including itself and only contains
"del c:\load.dll
del c:\shutdown.exe
del c:\mirc.exe
copy c:\windows\notepad.exe c:\windows\system32\
del c:\fix.bat"

Why it copies notepad to system32, I have no clue.

ONLY after being infected with this virus, I have recieved the decetion of Ircflood.X by housecall.

#76446 11/04/04 12:32 PM
Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
Hmm. I have notepad in both system32 and winnt directories and I am not infected (win2k). Odd.

#76447 11/04/04 12:43 PM
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
It is in XP too.

#76448 11/04/04 05:26 PM
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Hi there asa smile

A couple of posts ago I did state:

- A link to more technical information that Trendmicro had released.
- We can do nothing about whether you're infected or not, nor explain why the virus does what it does
- That Trendmicro does correctly detect the infection, but does also detect it incorrectly on clean machines.
- That Trendmicro's 'virus doctors' are looking into the matter.

Excuse any arrogance, but I don't see the need for constant posting of people informing us that their infected or not, and re-answering questions that have already been answered several times!

Also, it's best not to post the same post in two threads which relate to the same thing wink

Stay safe smile

Regards,


Mentality/Chris
#76449 13/04/04 08:21 PM
Joined: Apr 2004
Posts: 1
T
Mostly harmless
Offline
Mostly harmless
T
Joined: Apr 2004
Posts: 1
Alright. I just finished pretty much EVERY post here and on that other website thread.

Let start by saying that this is 90% NOT a FALSE POSITIVE.
It's a mIRC backdoor/worm that's extremely dificult, if not impossible, to get rid of.

Like everyone else, housecall will find on my computer 'malware.BKDR_IRCFLOOD.X' trojan and simply report its successful identification and removal.

About a week ago I got a PM from a friend on a channel where I idle all the time.
It had couple of lines like "sap" and "hi" then followed by a link to a flash animation poking fun at microsoft windows.
Other people reported a link to a .jpg file or even a .txt file.
I did a Norton AV scan immediately after since my buddy told me that it wasn't him pm-ing me, but he's infected with a trojan. Norton didn't find anything, and it's been almost a week since then my mirc was working just fine.

Yesterday I joined my usual list of channels and within 2 minutes started receiving conspicious messages from people all over whom I don't know.
Their replies were consistent with what the worm pm's other users, especially when some of them commented on the flash animation 'microsoft OS sux' and so on.
Of course, I would get kicked/banned from channels and servers.

I knew immediately my computer was infected for sure.
I scanned many times with housecall and other utilities. Only housecall finds it, supposedly 'removes' it, but it's back there next time I start mirc.

My conclusion is that trendmicro/housecall is not mistaken, but it simply doesn't know (yet) how to propperly remove this serious threat. And all of you who think you are safe just because your mirc seems to be working fine think twice.
I would say that the clever design of the worm allows it to 'sleep' for a few days and then start causing troubles.

I'm not going to take chances with this worm, since as reported by trendmicro, it not only affects mirc behaviour, but it can also record my activity online, steal passwords and use my computer for DDOS attacks.

For now I'm booting into my linux install until I get time to do this and also install a hardware router/firewall.

I'll try one other thing mentioned on boards and let you know final result, although I'll still format, it's just too risky.

Good Luck.

Page 3 of 6 1 2 3 4 5 6

Link Copied to Clipboard