Class
IRC-Worm
Platform
DOS

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: IRC-Worm

This type of worm spreads via Internet Relay Chat. Like email worms, IRC Worms have two ways of spreading via IRC channels. The first involves sending an URL which leads to a copy of the worm. The second technique is to send an infected file to an IRC channel user. However, the recipient of the infected file has to accept the file, save it to disk, and open (launch) it.

Read more

Platform: DOS

No platform description

Description

Technical Details

This is a virus-worm that spreads through mIRC channels by using an mIRC script program, and attempting to affect HTML files to infect remote computers when an Internet browser reads infected HTML pages.

The virus manifests itself on the 1st and 2nd of each month. It displays messages and then runs a video effect. By using VGA functions, the virus changes colors of the monitor turning it from white-on-black to black-on-white and back. The messages are as follows:

Day 1st:
Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ written by SeptiC [TI]
Day 2nd:
Pure evil comes from within! ~+DarK.MeSsiAh+~
Written by SeptiC [TI]

The virus also supports a "protection" that disables virus infection routines. When a virus copy is executed, it looks for the C:_VAC.TXT file and immediately returns to the host program if such a file exists. The virus also displays the message here:

You are protected by a devine power
~+DarK.MeSsiAh+~ will not touch your files

DOS COM and EXE infector

The main part of the virus is an ordinary parasitic DOS file infector. The virus is encrypted, and when an infected file is executed, the decryption loop restores the virus code to non-encrypted form and jumps to the main virus routine. The virus then searches for DOS COM and EXE files and infects them. While infecting, the virus encrypts and writes its code to the end of the file and modifies the file header.

The virus searches for files and infects them in the current directory, in the parent directories, and in the directory tree on all drives from C: to G:. The virus checks file names and does not infect: COMMAND, ?GA*, ??NP*, ???GW* files; runs mIRC script infection routine if MI* (MIRC.EXE, MIRC32.EXE) file is found; corrupts anti-virus files: F-*, TO*, TB*, SC*, AV* (F-PROT, TBAV, SCAN, AVP) - the virus overwrites them with a code that displays the message and returns to DOS when an infected file is executed:

~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

The virus also deletes the ANTI-VIR.DAT file if it exists.

Infecting BAT files

The virus also searches for BAT and HTML files and infects them in the same directories. While infecting BAT files, the virus writes to the end of the file DOS commands that replace the DOS "dir" command with a set of two instructions: the first runs a virus dropper PORNO.COM, the second executes the DOS "dir" instruction. As a result, on any "dir" instruction the virus dropper is executed.

The virus creates its dropper file PORNO.COM in the Windows Command directory. To locate this directory the virus tries three variants:

C:WINDOWSCOMMAND
C:WIN95COMMAND
C:WIN98COMMAND

If not one of them is valid, the virus drops this file in the current directory. The virus then opens the C:AUTOEXEC.BAT file and infects it in the same way as for other BAT files.

Infecting HTML files

While infecting an HTML file, the virus creates, in the same directory, the infected dropper with the PATCH.COM name and appends to the end of the HTML file a short set of HTML commands that display the message:

Download The Latest Patch!
Click Here!

The "Click Here!" is a link that downloads and runs the PATCH.COM virus dropper, when this link is activated. As a result, infected HTML pages are "continued" with a virus text that offers to download an upgrade, but spreads the virus code instead.

mIRC script

The virus looks for an mIRC client installed in the system and creates a new SCRIPT.INI file in the same directory. The virus looks for mIRC in six directories and does not drop its mIRC component if none of the directories is found:

C:MIRC
C:MIRC32
C:PROGRAMMIRC
C:PROGRAMMIRC32
C:PROGRA~1MIRC
C:PROGRA~1MIRC32

While infecting the mIRC client, the virus uses the same trick as other mIRC viruses do: it overwrites the standard mIRC script file SCRIPT.INI with an infected one. When an mIRC client starts with an infected script, it accepts this file and follows its instructions.

The infected SCRIPT.INI contains several commands. The main one is the virus-sending instruction: when any user sends/receives any files, the virus sends to this user its infected dropper file, PORNO.COM.

The virus also sends messages to the channel and users on the channel. When an infected client connects to an IRC server, the virus sends the message to a user with the "SeptiC_dm" nickname:

I am your servant! I have been turned into a zealot of darkness

If the "D.Messiah" string appears in a message in the channel the, virus sends its own message to all users on the channel:

Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ Written by SeptiC [TI]

On the "666" string, the virus changes the topic of the channel (that is displayed in the header of the channel window), if the infected user has enough privileges. The new topic string appears as follows:

~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

On the "pray" text, the virus sets the channel operator mode to a user who posts this text, and sends the message to the channel:

I Obey my master! long live satan

On the "sacrifice" text all infected users are kicked out of the channel with the message:

Your word is my command, Power to satan!

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.