|
Description:
This worm exploits a vulnerability in Internet Explorer that allows
a script to run malicious code without prompting the user. When
a computer running a vulnerable version of IE visits any web page
that contains this exploit, the code is run and the computer is
infected. It is one of the few cases you can become infected by
a Trojan without knowingly running a file. The most common versions
of this Trojan create a mIRC script and modify the mirc.ini file
so that the script will be loaded next time mIRC is started.
Technical Details:
The worm creates three files:
- rol.vbs (deleted at end of script)
- winamod.dat (also deleted at end of script)
- server.ini (contains a mIRC script)
Modifies:
The trojan searches for any folder that has the
mIRC program in it, and drops that file into the folder and modifies
mirc.ini so the script is loaded next time mIRC is run. When the
mIRC client connects to a network and joins a channel, the script
advertises the site it was downloaded from, enticing others to visit
with promises of porn or other temptation. This is done with an
"on event" trigger that is built into the mIRC client
as part of a legitimate scripting feature. Some variants actually
deliver the promised material on the site they are on to deflect
attention away from what is happening to the host computer.
These scripts vary in what they do, and are becoming
more aggressive with each new variant. The latest scripts contain
interactive coding that allows the scripter control over the host
machine, including causing the infected machine to participate in
DDOS attacks. Some variants disable the /remove
and /remote commands in mirc by creating an alias like: n23=alias
/remote /remote $1- | .remote on | /ignore $me This will hinder
someone from trying to help the user if they have them type /remote
off to disable the script. Some versions will create actual sockets and use the mirc client
to message their spam using a nick like Guest##### where # is any digit between
0 and 9. If you are infected by one of these variants, you should use
the /sockclose * command in mirc to ensure that any sockets that
were in use are closed and freed up for other legitimate programs.
Solution:
Mirc open:
First close any sockets mirc may have opened by typing in any mirc
window
"/sockclose *" without the quotes. Then hold down the
alt key and press R to open your remote section. Click view, locate
server.ini and click on it. Then click File - Unload. Do that for
each server.ini you have listed as you can have multiple scripts
loaded. It is not recommended you try and clean using mirc commands
in the edit box due to the aliases being written in the newer versions.
Once all copies of server.ini are unloaded, search the fixed drives
and delete every copy found.
Mirc Closed:
If you have not yet closed mirc, type /sockclose * in the edit box
of any mirc window to close any sockets left open by the malicious
script. With mIRC closed search for and delete every copy of server.ini
in mirc folders that you find. The file servers.ini is a legitimate
mirc file and does not need to be deleted. Edit and remove the server.ini
entry from the mirc.ini file under the
[rfiles] heading.
Regardless of which method you choose, the single
most important instruction after cleaning is to get the patch from
Microsoft so you don't get reinfected.
For windows versions ME/2000 and higher click
Start - Windows Update. When your browser has loaded the page choose
Product updates. To ensure that you're able to view Windows Update,
select Yes in any "Security Warning" dialog boxes that
appear.
For windows 9x, Microsoft no longer supports the
auto update feature, so you need to go to the windows update website
and get all the security patches for your operating system.
Additional information
You can test if your computer is vulnerable to this exploit on the
DALNet Exploits Team Pages, see the resources section below for
the URL.
Resources :
DALnet Exploits Team Broswer Vulnerability Test
Microsoft Windows Update
|
