Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Question
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 22 Oct 2005 09:34:23 +1300

Randall M wrote:

We have been dealing with an IRC/Mirc invation being installed on our
network. Looking for info on the possible ways it gets in to a network,
spreads and what ports to block beside IRC. Only real info was found
here:http://www.avira.com/en/threats/DR_IRCFlooder_3_details.html. I found
a handful of posts where people have had it hit them. Anyone have other
info on this. 

mIRC is used by all manner of "bad stuff", spread in all manner of 
ways.  If you know nothing more than that you have unexpected mIRC 
installs running on some machines then you really have not learnt 
enough about what you have to help us narrow the field much.


That said, such mIRC installs are always accompanied with one to 
several script files (conventionally with a .INI extension and in the 
same directory as the executable).  Snagging those and subjecting them 
to several different virus scanners should return some information 
about the likely malware family "your" mIRC installations belong to 
(unless you have something entirely new and novel...).

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]