Mircspeedup.exe Opened

EXPLOiTED

Feb 8 2004, 02:31 AM

the new worm that is spreadign through mirc PMs. Mircspeedup.exe at freewebs.com/mircupdate/mircspeedup.exe

i downloaded the app on my new 1.4 ghz lappy

Firewall saw activity on port 21. ftp.exe trying to connect to 68.82.96.*** A comcast addy. Thinking it would download a root kit. ftp.exe stayed on a while. Then i never seen any new processes \ services or anything

MpR

Feb 8 2004, 04:41 AM

So ? ( Insert Your Point Here Please )

xlulux

Feb 8 2004, 04:56 AM

you didnt really explain about this very detailed I.E(router logs, hex view of program) did your av pick it up? i saw alot of irc channels exclaiming it

Gotisch

Feb 8 2004, 10:35 AM

i still wonder why people download files from a link that 8 pp spam on you when you join a chan

JDog45

Feb 8 2004, 11:09 AM

QUOTE (MpR @ Feb 8 2004, 04:41 AM)

So ? ( Insert Your Point Here Please )

I don't think you're going to get one...

saetji

Feb 8 2004, 11:50 AM

I think he was jsut trying to inform us IRC users of what it does... i think

mrBob

Feb 8 2004, 11:58 AM

maybe he wants help to remove it...

put your files on date order (instead of name orso)
then check all files from the date when you opened it
if you see any strange files; remove them and report here

don't think this will be very helpfull.. but then again, we don't know what you want

EXPLOiTED

Feb 8 2004, 10:30 PM

no no you fools. Im saying that i dled it. ( you know, trying to be leet and all ). and found out that it connects to a ftp. never seen what it dled though or anything..or what attacks its uses...therefor i thought some one would of alerady knew or whateevr..doesnt matter

flashb4ck

Feb 8 2004, 10:38 PM

r0fl that's a real nice discussing ;D
no i haven't heard about this worm

thanks 4 ya information perhabs i'll cklick on the link if i am funny and want to infect me ;D

LÖL

gr€€tZ fL4Shb4Ck

justatemp

Feb 11 2004, 01:32 PM

hmm

I don't get it.

Did you download this intentionaly so you would get infected and try and find out what it does and maybe get some nice info about it?

Or do you mean by 'trying to be leet' that you were actually stupid and clicked the link thinking it would actually increase your download speed?

If you have the habit of clicking on every link you get send to you, please give me your email or channel and name so I can have some fun with you

no offence hehe

Serhat

Feb 11 2004, 06:34 PM

check your X: {windows drive} root
you'll see { probably hidden} memory.sys tempboot.bat and winboot.exe or something
These are the badguys...
memory.sys got a irc script that will spam if you use irc the same message like they did @ you,,, winboot is the virus you were talking about and tempboot.bat got a batch file to connect to a FTP and download winboot.exe the bad guy
I know this got friend got the same and I told him to send me the files

Mouse

Feb 17 2004, 04:18 AM

that website is broken so you need to attach that trojan here ok.

K1LL3RB0Y

Feb 17 2004, 04:10 PM

QUOTE (Serhat @ Feb 11 2004, 06:34 PM)

check your X: {windows drive} root
you'll see { probably hidden} memory.sys tempboot.bat and winboot.exe or something
These are the badguys...
memory.sys got a irc script that will spam if you use irc the same message like they did @ you,,, winboot is the virus you were talking about and tempboot.bat got a batch file to connect to a FTP and download winboot.exe the bad guy
I know this got friend got the same and I told him to send me the files

Yes thats right and when ya open the files there is also a backdoor installed
it is used by mirc in hidden for remote scanning here ya find the stuff

CODE

ok ya dont know if ya still use the proggie wel PRESS CTRL+ALT DEL
and search for MIRC32.exe if that is there KILL it when ya did that and there is no more mirc32.exe in use we go delete the stuff
do ya have killed it ????

ok then search for the files
GOTO
c:\windows\system32\dllcache\
If ya see a DIR RAD inthere YOU MUST DELETE THE HOLE FOLDER
maybe do a recheck and see if the following files are in it

code:--------------------------------------------------------------------------------
drw-rw-rw- 1 user group 0 Feb 9 16:17 RAD

/RAD:
total 5780
drw-rw-rw- 1 user group 0 Feb 9 16:17 .
drw-rw-rw- 1 user group 0 Feb 9 16:17 ..
-rw-rw-rw- 1 user group 12634 Feb 2 20:48 NT.DLL
-rw-rw-rw- 1 user group 435200 Sep 29 2002 comload.exe
drw-rw-rw- 1 user group 0 Feb 9 16:17 dat
-rw-rw-rw- 1 user group 34304 Nov 2 00:03 hex.exe
-rw-rw-rw- 1 user group 16384 Nov 19 16:16 hide.exe
-rw-rw-rw- 1 user group 684032 Sep 20 2002 libeay32.dll
drw-rw-rw- 1 user group 0 Jan 26 23:50 log
-rw-rw-rw- 1 user group 3007 Feb 9 16:17 mirc.ini
-rw-rw-rw- 1 user group 1682432 Nov 2 00:03 mirc32.exe
-rw-rw-rw- 1 user group 69632 Jan 18 1999 oncrpc.dll
drw-rw-rw- 1 user group 0 Feb 9 16:17 plugin
-rw-rw-rw- 1 user group 909 Feb 9 16:17 remote.ini
-rw-rw-rw- 1 user group 20480 Jan 12 01:34 start.exe

/RAD/dat:
total 53
drw-rw-rw- 1 user group 0 Feb 9 16:17 .
drw-rw-rw- 1 user group 0 Feb 9 16:17 ..
-rw-rw-rw- 1 user group 1567 Jan 25 17:48 config.ini
-rw-rw-rw- 1 user group 23755 Sep 20 20:41 language.ini
-rw-rw-rw- 1 user group 74 Jan 23 21:13 pass.dic
-rw-rw-rw- 1 user group 20 Jan 23 21:13 user.dic

/RAD/log:
total 0
drw-rw-rw- 1 user group 0 Jan 26 23:50 .
drw-rw-rw- 1 user group 0 Jan 26 23:50 ..

/RAD/plugin:
total 343
drw-rw-rw- 1 user group 0 Feb 9 16:17 .
drw-rw-rw- 1 user group 0 Feb 9 16:17 ..
-rw-rw-rw- 1 user group 175616 Sep 28 2002 070-ntpass.xpn
--------------------------------------------------------------------------------

OK delete them FAST hehe
If ya get permissions to delete them Ya are safe again
BUT YOU ARE NOT DONE YET 1 FINAL THINGS MUST BE CHANGED
Goto windows menu (start) EXPORT and press MSCONFIG
when ya did that correct a new window will show Goto the last windows at BOOT
and search for a file CALLED start disable that
when ya did that press ok and you are done

BTW also when ya have a windows dir thiss is all the same onlt the folder winnt is windows
the rest is the same

GOOD LUCK
AND BEWARE OF A OTHER ACTION LIKE THISS

KillerBoy