Virus Database

IRC-Worm.Loa

Description IRC-Worm.Loa

This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:
LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices:
"Life of Agony"="loa.exe"

When the worm locates the MIRC.INI file, it writes to there several instructions that disable the mIRC security settings and creates its script file that contains commands that send the worm's EXE file to the channel.
The worm manifests itself as anti-virus programs that searche and delete the DM-Setup mIRC worm (the worm actually does delete DM-Setup files if they present on disks). It then displays the following messages:
You are about to scan your harddrive for the DMSetup virus, it is
crucial that you run this program without mIRC active, so if you
are still in mIRC at the moment, type /EXIT before you continue.
Press any key if mIRC is not activeall

The worm also displays other messages that depend on the current date:
PowerBit anti-virus v3.34, (C)opyrighted 1999 by PB Systems.
SHAREWARE - REGISTER?
YES!
Scan completed, no viruses were found.
The Ultimate Chaos Website 2 - http://sourceofkaos.com/homes/ultchaos
Visit me...
NOW!
Not detected.
WaReZ SCaNNeR bY oDELiOFiLThY [SuCK]... ViSiT #warez !
SeLF CHeCK:
oKeY
nO WaReZ wErE FoUnD aT DRiVe C: !!!
DrSolomon Anti-Virus Toolkit v10.00 - SPECIAL EDITION -
Scanning memory (DOSUMBHMAXMS)...
No viruses found in memory
No viruses were found.
ScanDisk 2.00, (C)Copyright Microsoft Corp 1981-1998.
Checking critical areas...
OK
No errors were detected.
Anti-Back-Orifice II.A, detects/removes all BO-instances from your system.
Checking registry...
BO was not found in the registry
System clean, visit http://sourceofkaos.com/homes/ultchaos for updates.
TERA SPOOF-INSTALLER VERSION 6.66
Checking shadow-RAM...
located at x0FA56D6A4h
Failed to install spoof, SPSOCK64.DLL missing.
WinGater by Terminatius [Finds installed WinGates at your system].
Locating registry:
REGISTRY.REG
No WinGates found, go to Undernet, #wingater for help.
Thunderbyte virus-detector v9.24, - (C) Copyright 1989-1999 Thunderbyte B.V.
SANITY CHECK:
OK!
No viruses were found.
Anti-Nuke written by cDc - Cult of the Dead Cow.
Checking V86 interrupts...
No polling detected
No nuke-programs found.
LOA''s Kill-DMSetup version 2.2, - SHAREWARE
Checking memory...
OK
Completed!
KILL-CIH v2.0. --> kills all known CIH-strains! <--
Memory check...
passed
CIH has not been detected at your system.

When the worm is started with the /SECRET argument, it displays the following message:
=[ Life of Agony 1.30, (c) 1998 by T-2000 / Immortal Riot ]=
Hi! I am the [LIFE OF AGONY] worm, and I''m gonna fuck you up REAL bad!
LIFE OF AGONY

IRC-Worm.Lucky

Description IRC-Worm.Lucky

This is a IRC worm that spreads through the IRC channel using mIRC and PIRCH clients for spreading. The worm appears on a computer as the LK7.EXE Windows program about 500K in length. When this file is executed by a user, the worm installs itself into the system, copies the LK7.EXE to the C:WINDOWS directory, then searches for mIRC and PIRCH clients in current, C:MIRC, C:MIRC32, C:PIRCH98 directories, and modifies IRC scripts there.
The worm also installs the ""Backdoor.NetBus" Trojan to the system. To do this, the worm keeps the Trojan's code in its body, extracts it from there, copies to the C:WINDOWS directory with IRCPATCH.EXE name, and executes it.
The worm contains the "copyright" text:
LUCKY B.R.D 1994-99 [LK-7]all
To spread through mIRC channel the worm creates the new script file LK7.INI and sets a reference to this file in the mIRC system script file MIRC.INI. The worm's script intercepts a set of events and uses them to spread its copy to channels and manifest itself:
on a new user joining infected channel, or on files transfer the worm sends its copy (the C:WINDOWSLK7.EXE file) to this user.
if the text "leave!!!" appears in channel, the worm sends to the channel the message "Your will is my command" and leaves the channel.
on "LUCKY !!" text the worm sends to the channel the message "I am a Lamer !!" and changes affected user's nick to "Lamer".
on "Die!!!" text the worm reacts with the "Be sure, I will commit suicide now .. RIP" message and leaves chat.
on "virus" and "virii" strings the virus sends to the channel the text I am infected with [LK-7]..By LUCKY B.R.D 1994-99.Win32 VIRUS".
and so on.
To spread its copy to mIRC channels, the worm also modifies the system registry keys that are responsible for mIRC events, and in some events, the worm also sends its copy to channels.
To spread to PIRCH, the worm creates the new script file EVENTS.INI that contains a command that sends a worm copy to all users that enter the infected channel.
Variants
There are several known variants of the original worm. They are crippled (infect only the mIRC client, for instance) and do not install backdoor files. They spread as files with the names:
"Lucky.b": CLICK-IT.EXE
"Lucky.c": APPOLO.EXE

IRC-Worm.Mabra.a

Description IRC-Worm.Mabra.a

This is a silly IRC worm that spreads through IRC channels using mIRC client for spreading. The worm appears on a computer as the DOS EXE file with MABRA.EXE, CDMAN.EXE, or GLADYS.EXE filename (depending on the worm's version), and about 14K in file size. When this file is executed by a user, the worm copies itself into C:WINDOWS, C:WINDOWSSYSTEM or C:WINDOWSSYSTEM32 directory (depending on worm version), and overwrites the mIRC script file SCRIPT.INI in the C:MIRC directory. The new script sends the worm copy to any user that enters an infected channel.
Depending on the system time, the worm erases the C:WINDOWSWIN.COM file.

IRC-Worm.Milbug.a

Description IRC-Worm.Milbug.a

This is an IRC virus-worm that spreads itself via mIRC channels. It appears as a MILBUG_A.EXE or MILBUG_B.EXE DOS EXE file about 10Kb in length. The file name depends on the worm version. When the worm file is executed, it overwrites the SCRIPT.INI file in the C:MIRC directory with its own script program that has just two instructions. The first one sends the following message to any new user in the channel:
I'm testing my millenium bug fix program. Receive it and test it

The second one sends the MILBUG EXE file to this user.
The worm does not have any dangerous payload and does not manifest itself in any other way.

IRC-Worm.MrWormy.1198

Description IRC-Worm.MrWormy.1198

This is a harmless encrypted parasitic virus-worm that spreads via mIRC and PIRCH chat channels. To install itself into the system, the virus patches chat-client scripts and creates the infected DOS COM file MYPIC.COM in the WINDOWS directory, and this file has Hidden and Read-only attributes set. The infected chat clients then will send this infected file to the chat channels.
To infect chat clients, the virus first of all checks and creates the EVENTS.INI file in the PIRCH98 directory. New EVENTS.INI sends the infected file C:WINDOWSMYPIC.COM, when a user enters the IRC channel.
If the PIRCH client was not found, the virus attacks the mIRC client. It checks and creates the SCRIPT.INI file in the MIRC directory. New SCRIPT.INI sends to channel the files C:WINDOWSMYPIC.COM and C:MIRCMIRC.INI.
The virus then appends to the end of a C:AUTOEXEC.BAT file the instruction that will activate the virus dropper C:WINDOWSMYPIC.COM each time the system reboots.
The EVENTS.INI script file in the infected PIRCH directory has just one instruction that sends to the channel that infected file. The SCRIPT.INI file in the infected mIRC is more complex and runs more actions:
- on entering any new person to the channel, he/she is sent by the virus dropper (the C:WINDOWSMYPIC.COM file)
- when "why me" appears in the channel (a user sends it), the script runs the mIRC timer that runs an attack on CTCP protocol to this user.
- when joining with a IRC server, the script sends the message to the user with "TPhunk" name on the same server:
I am alive

- on receiving the CTCP commands "blah", the script quits mIRC with the message:
I am Owned - TP ownes me

- on receiving the CTCP command "bye", the script starts the mIRC timer that once per second executes the COMMAND.COM file.
- on receiving the CTCP command "give", the script sends to this user the MIRC.INI file from the C:MIRC directory.
- on receiving the CTCP command "unf", the script runs on the computer a file that is specified in the command parameters.
- on receiving the CTCP commands "ya", the script sends a message to a user. Both the user and message are specified in the command's parameters.
- on receiving the CTCP commands "own", the script changes the window title to the following text:
You've been hax0red

- on receiving the text "mypic" from a user, the script in 30 seconds runs and attacks this user by CTCP protocol.
- on receiving the CTCP command "giveme", the script sends out a file that is specified in the command's parameter, i.e., the worm is able to steal data from remote computers.

Home