Subscribe
The worm writes the following strings:
[rfiles] n100=safe.ini
to the following file:
c:\mirc32\mirc.iniIt creates a file and writes its script to the file:
c:\mirc\safe.iniThis script performs the following actions:
when the user "uncahellmang" enters the channel, the worm will transmit the following information about the infected machine to the user: IP address, version and type of operating system, current system data and time, and email address (from mIRC configuration).
All users entering the IRC channel are sent the following message:
http://hammer.prohosting.com/~nemo2k/freesex.htmlVisit this great NEW site now for 100% FREE Sex Pics And Movies. No Strings AttachedThe worm then uses DCC to send a copy of itself:
c:\mirc32\dirtysexsluts.scrThe worm then opens a large number of TCP ports on the victim machine and informs "uncahellmang" about attempts to connect to these open ports.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the backdoor process.
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
c:\mirc32\dirtysexsluts.scr c:\mirc\safe.ini
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This worm spreads via IRC. It is a Windows PE EXE file. It is 11,264 bytes in size. It is packed using UPX. The unpacked file is approximately 50KB in size.
InstallationWhen launched, the worm copies its executable file as follows:
c:\mirc32\dirtysexsluts.scr Payload
Hot Articles