mIRC Home    About    Download    Register    News    Help

Print Thread
#77526 02/04/04 06:55 AM
Joined: Apr 2004
Posts: 2
I
Bowl of petunias
OP Offline
Bowl of petunias
I
Joined: Apr 2004
Posts: 2
Can someone just tell me if this is a false positive or what???
I installed mIRC last week and this virus only shows up if i have been useing mIRC ???
I don't understand it?
And it only shows up with housecall on-lirus checker?
Pred

#77527 02/04/04 07:02 AM
Joined: Jan 2003
Posts: 428
P
Fjord artisan
Offline
Fjord artisan
P
Joined: Jan 2003
Posts: 428
See this thread.

PM


IRCnet & DALnet @#travelersinn
:-: IRC for fun and relaxation :-:
#77528 03/04/04 06:38 AM
Joined: Apr 2004
Posts: 2
I
Bowl of petunias
OP Offline
Bowl of petunias
I
Joined: Apr 2004
Posts: 2
Yes i know i have seen that but can anyone tell us all if it is a hoax?????
All we want is yes or no


#77529 03/04/04 07:52 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
hoax? nope. beyond that, all we can tell you is that a virus by that name does exist and hence the possibility that you may be infected by it needs to be checked out. mIRC that you download from mirc.com in and of itself is not infected. whats on an individual's machine, we have no way of knowing. whether or not a false positive is being triggered in trendmicro products, until they tell someone they have confirmed that, all we can tell you is what they have so far told others: they are investigating that possibility. keep checking the thread referred to for any updates. its easier for those following the subject to look at one thread instead of several scattered about. that thread has links to info about that trojan and what files and registry entries to look for.


ParaBrat @#mIRCAide DALnet
#77530 07/04/04 05:05 AM
Joined: Apr 2004
Posts: 1
S
six Offline
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
Housecall creates a file "tsc.ptn"(pattern file) in your windows folder, I'm assuming this file is similar to Norton's "definition" file, or perhaps this file is also being used to install other files needed to scan your computer.

Try changing the filename to "_tsc.ptn" and go back to http://housecall.antivirus.com and it'll give you an error "Error#101: Read generic pattern failed!" when you scan.

Common sense tells me this "tsc.ptn" file is safe and housecall just messed up on this one.

Edit:
To uninstall housecall:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4577


Last edited by six; 07/04/04 05:30 AM.
#77531 11/04/04 11:27 AM
Joined: Apr 2004
Posts: 2
A
asa Offline
Bowl of petunias
Offline
Bowl of petunias
A
Joined: Apr 2004
Posts: 2
Hi everyone, I for one am POSITIVE that I am infact infected with this virus. I opened a malicious link (the link was to something.txt but the .txt was just the name of the directory the exploit was in) that an infected user had sent me. After being infected and many obsenties later, I discovered how it had gotten to my computer without me accepting any files.

The link uses a VBScript exploit in IE which drops a .exe which has several files packed in it. The files inside are "Load.dll", "fix.bat", "mirc.exe", and "shutdown.exe". Load.dll I assume contains API's for mirc.exe. Shutdown.exe is an auto-extractor which inside contains a shortcut to "%windir%\system32\shutdown.exe -s -t 00 -f" This simply shuts down the users computer instantly (-t 00) and forces the shutdown (-f). As of know, I have no idea whatsoever what mirc.exe does (usefull huh?), I assume this carries the payload and is what changes the registry entries noted in the trendmicro virus information. It is NOT a modified mirc client as I have ran it myself and nothing seems to run and I have monitored any open ports for a silent mirc client. fix.bat simply deletes the aforementioned files including itself and only contains
"del c:\load.dll
del c:\shutdown.exe
del c:\mirc.exe
copy c:\windows\notepad.exe c:\windows\system32\
del c:\fix.bat"

Why it copies notepad to system32, I have no clue.

ONLY after being infected with this virus, I have recieved the decetion of Ircflood.X by housecall.

#77532 17/04/04 06:22 PM
Joined: Apr 2004
Posts: 2
N
Bowl of petunias
Offline
Bowl of petunias
N
Joined: Apr 2004
Posts: 2
this is not a hoax, nor is it necessarily a false positive. also, it is not limited to mIRC. I'm using xp pro and mirc 6.01 and keep having the same crap as everyone else. no serious problems, just keep having it detected.

I checked my wife's computer, and she has it too. the funny thing there is that she doesn't have mIRC and never has. she goes into yahoo chat sometimes, and it seems to spread through yahoo as well. one interesting difference on her computer is this: people on yahoo were using a variety of things to knock others offline. the majority of them wouldn't keep a person offline, and usually a reboot was the most extreme measure needed to fix the problem. however, one user kicked her so hard that she was entirely unable to sign back in to yahoo.

scanned, found, and removed bkdr_ircflood.x
rebooted, scanned again, and it wasn't there. after that, I was able to sign her back into yahoo. scanned again, still nothing. went into a different chat for about an hour, scanned, still nothing. went into the room she got booted from, found that same jackass user, harassed him, got booted, couldn't sign into yahoo, scanned again and there it was. until it's removed, she can't sign into yahoo at all.

this makes me think of 2 things: either there are variants of it, or it's not specifically designed to do much for mIRC. apparently it is shared on mIRC, but I think the malicious intent behind it might be more about yahoo.

from talking to other yahoo users, it doesn't seem to spread through yahoo as rampantly as with mIRC. info I've gathered from some good nerds on yahoo say that it's given to one user or a group/room at a time, intentionally, and that those who make use of it are able to modify it in such a way that they can have it keep you offline (from yahoo) or not. when not, then they are able to read all of your private messages and email, among other things. they can hijack all your yahoo/geocities stuff as well. one thing that trendmicro says that 7 different people I talked to seem to disagree with trendmicro on is the ddos attacks. my friends say that what they've learned so far seems to indicate that this isn't yet a possibility with this trojan.

1 more detail: my wife's computer connects separately. we are not on a lan or sharing a hub or anything. her computer sees mine in the same way it would see anyone else's, so it's not possible that she got it from me.

if anyone else has an extra computer that does not have mIRC and they could try to duplicate what I've done, your input would be appreciated.

#77533 17/04/04 06:34 PM
Joined: Apr 2004
Posts: 2
N
Bowl of petunias
Offline
Bowl of petunias
N
Joined: Apr 2004
Posts: 2
interesting... after hafing removed it again from my computer, then starting mIRC and scanning again while mIRC is running, I have a different result like someone in the other thread. malware.worm_moega bkdr_ircflood.x


Link Copied to Clipboard