VBS/Karma Hotel Worm

Description:
This worm exploits a vulnerability in Internet Explorer that allows a script to run malicious code without prompting the user. When a computer running a vulnerable version of IE visits any web page that contains this exploit, the code is run and the computer is infected. It is one of the few cases you can become infected by a Trojan without knowingly running a file. The most common versions of this Trojan create a mIRC script and modify the mirc.ini file so that the script will be loaded next time mIRC is started.

Technical Details:

The worm creates three files:

  • rol.vbs (deleted at end of script)
  • winamod.dat (also deleted at end of script)
  • server.ini (contains a mIRC script)

Modifies:

  • mirc.ini

The trojan searches for any folder that has the mIRC program in it, and drops that file into the folder and modifies mirc.ini so the script is loaded next time mIRC is run. When the mIRC client connects to a network and joins a channel, the script advertises the site it was downloaded from, enticing others to visit with promises of porn or other temptation. This is done with an “on event” trigger that is built into the mIRC client as part of a legitimate scripting feature. Some variants actually deliver the promised material on the site they are on to deflect attention away from what is happening to the host computer.

These scripts vary in what they do, and are becoming more aggressive with each new variant. The latest scripts contain interactive coding that allows the scripter control over the host machine, including causing the infected machine to participate in DDOS attacks. Some variants disable the /remove
and /remote commands in mirc by creating an alias like: n23=alias /remote /remote $1- | .remote on | /ignore $me This will hinder someone from trying to help the user if they have them type /remote off to disable the script. Some versions will create actual sockets and use the mirc client to message their spam using a nick like Guest##### where # is any digit between 0 and 9. If you are infected by one of these variants, you should use the /sockclose * command in mirc to ensure that any sockets that were in use are closed and freed up for other legitimate programs.

Solution:
Mirc open:
First close any sockets mirc may have opened by typing in any mirc window
“/sockclose *” without the quotes. Then hold down the alt key and press R to open your remote section. Click view, locate server.ini and click on it. Then click File – Unload. Do that for each server.ini you have listed as you can have multiple scripts loaded. It is not recommended you try and clean using mirc commands in the edit box due to the aliases being written in the newer versions. Once all copies of server.ini are unloaded, search the fixed drives and delete every copy found.

Mirc Closed:
If you have not yet closed mirc, type /sockclose * in the edit box of any mirc window to close any sockets left open by the malicious script. With mIRC closed search for and delete every copy of server.ini in mirc folders that you find. The file servers.ini is a legitimate mirc file and does not need to be deleted. Edit and remove the server.ini entry from the mirc.ini file under the
[rfiles] heading.

Regardless of which method you choose, the single most important instruction after cleaning is to get the patch from Microsoft so you don’t get reinfected.

For windows versions ME/2000 and higher click Start – Windows Update. When your browser has loaded the page choose Product updates. To ensure that you’re able to view Windows Update, select Yes in any “Security Warning” dialog boxes that appear.

For windows 9x, Microsoft no longer supports the auto update feature, so you need to go to the windows update website and get all the security patches for your operating system.