How Mirc send a file, analysis of DCC SEND process
//////////////////////////////////////////////////

by DoxtorL. /[T.I]/ August 2000.



Introduction:
~~~~~~~~~~~~~

Nowdays we see a lot of irc worms using the script language
provided by Mirc software. All these worms, of course, use
and abuse of the DCC SEND process. But who knows really how
the process does really works?

The following lines give you some infos.



Some tips about tc/ip stuff:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All your internet stuffs rely on the use of a DLL called
Wsock32.dll in win9x world (and nt?).

This DLL offers several functions (APIs) to be used by people
to write programs.
I don't want to describe all the APis and how to use them, but
to send and receive bytes to/from a remote machine, in asm you
need to use send and recv APIs; send to send, recv to receive
bytes :)

To communicate ,using Tc/ip protocol (a langage for computers to
exchange datas )

Two programs on different machines have to create a "socket" to com
municate. Sockets are virtual things, you can create several sockets
but you have one and only one modem running :)

A communication on internet is a chat between two sockets.

A socket, to communicate, needs three parameters:

local IP (easy known by system and programs) , port, remote IP

When you want to connect to IRC, Mirc opens one socket
sets parameters to IP and port of the irc server.
(port= 6660,6667,6668,7000 most of the time).

One socket is used to send /receive all messages from
IRC server.

Even if you have joined several channels, and you're
chatting with a bunch of guys and girls...all messages sent or
received use one socket and only one!. Don't expect to receive
messages that are not for you, the IRC server lets read you
only messages you have the rights to get.


DCC send :
~~~~~~~~~~

DCC stands for Direct Client to Client.

What does it mean?

When you exchange messages on irc all the stuff is processed by IRC
server. In fact your computer isn't directly chatting with sockets
of your friend's puters, it's chatting with a socket of the IRC server.

DCC is different, a DCC SEND or CHAT is a direct communication between
a socket of your puter and a socket of your friend's computer.

But i told you before to communicate, sockets need to have
the IP of the other puter and a port set. ( No need for a program
to provide the IP of the local puter)



To use DCC SEND, the two puters need to know the IP of each other and to
decide wich port they will use to communicate.


Here is the steps of DCC SEND process

C1= puter sending   the file
C2= puter receiving the file


C1 sends a notice to C2:

NOTICE lamerC2 :DCC send virus.exe (12.34.56.78)

this message will be send by a socket of C1

lamerC2     = nick of owner of C2
virus.exe   = name of the file to send
12.34.56.78 = IP of sender

This message is useless in fact, puter C2 don't use infos provided
in notice message to set the right parameters to create a socket
to receive the file.

You can change the IP (lame spoofing ;) ), but the server will show
C2 the nick of sender (C1)

Another message will be sent by C1:

PRIMVMSG lamerC2 :#1DCC SEND virus.exe 203569230 4566 739#1


PRIMVMSG is the command in IRC protocol to send message

What the fuck are 739,4566,203569230?

739  = size of file
4566 =port for the sockets (port is in range 1024-5000)
the last one is more harder to explain, but you have guessed, i hope, this
number contains infos about IP of the sender.

The IP of the sender is 12.34.56.78

    In hexadecimal: 0ch.22h.38h.4eh

    suppress the periods you get:

                    0c22384eh

    it's a 32 bits number, it' s the hexadecimal form for the
    decimal number 203569230 !
    Now you get the point ?


What is #1?

in fact, the message is an ASCIIZ string:

db   "PRIMVMSG",20h,"lamerC2",20h,":",01h,"DCC",20h,"SEND",20h
db   "virus.exe",20h,"203569230",20h,"4566",20h,"739",01h,0dh,0ah

so #1=01h

"20h"s are very important, supress the second 20h and the IRC server
 will not able to send the message to C2!


 Now C2 knows the port/IP to create a socket to communicate
 But C1 ignores the IP of C2!

 To learn the IP of C2, C1 uses winsock stuff

 In the process of DCC SEND, C1 is the server and C2 the client
 Before to send the two messages to the IRC server , C1 creates a socket
 the port is set to 4566 and that's all for the setting.

 This socket can't receive or send datas, cause no IP was provided.
 But the winsock lets the socket to be in listening mode.

 Wsock32.dll provides an API to set a socket in listening mode: listen.
 Don't make a confusion between receive and listen.

 Listen is only  : wait for an attempt of a socket of
 another computer to communicate on a port chosen by C1.

 When the socket created by C1 to listen detects the attempt,
 C1 accepts the communication and create a socket (using API
 accept of wsock32.dll).

 Now the socket has all the datas to start the communication.
 the step following is easy to guess.

 The socket created by C1 to communicate with C2 will send
 the datas of the file virus.exe, using the API send.

 But a problem occurs, we can't send more than 4096 bytes when we
 are using a send, we can't use several send at a time.
 We need to recv between two send.

 In fact, after every recv performed by C2, it will send
 the total numbers of bytes received, since the beginning
 of receiving process, to C1. (not only the bytes received
 after the last call to recv)

 Example: 00h,00h,02h,00h (bytes really sent by C2 to C1)

 200h bytes (=512) were received.


 Last thing, but not the least , Mirc on C2 computer
 will notice lamerC2 that the DCC SEND is completed only when the
 socket of C1 used to send the file will be closed or the
 time left for a socket to be receiving will be reach.





 Conclusion:
 ~~~~~~~~~~~


 I hope these few lines will help you to understand what is really
 behind a DCC SEND. i didn't deal with the resume protocol used
 by Mirc, you can find a description of it in Mirc help file.
 To experiment, tcip stuff i recommand the use of WinsockApiSpy
 a good tool to log what is sent or receive by an internet client
 and show you what APIs are used. (Hint: if you use it,
 maybe you will need to add the "set" commands in your autoexec.bat)



 Thanks goes to:

 Mdrg,mist,t00fic for their help

 Greets to:

 All people chatting on undernet virus channel
 you know who you are :)