Class IRC-Worm
Platform DOS

Technical Details

This is a virus-worm that spreads through mIRC channels by using an mIRC
script program, and attempting to affect HTML files to infect remote
computers when an Internet browser reads infected HTML pages.

The virus manifests itself on the 1st and 2nd of each month. It displays
messages and then runs a video effect. By using VGA functions, the virus
changes colors of the monitor turning it from white-on-black to
black-on-white and back. The messages are as follows:

Day 1st:
Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ written by SeptiC [TI]
Day 2nd:
Pure evil comes from within! ~+DarK.MeSsiAh+~
Written by SeptiC [TI]

The virus also supports a "protection" that disables virus infection
routines. When a virus copy is executed, it looks for the C:_VAC.TXT file
and immediately returns to the host program if such a file exists. The virus
also displays the message here:

You are protected by a devine power
~+DarK.MeSsiAh+~ will not touch your files

DOS COM and EXE infector

The main part of the virus is an ordinary parasitic DOS file infector. The
virus is encrypted, and when an infected file is executed, the decryption
loop restores the virus code to non-encrypted form and jumps to the main virus
routine. The virus then searches for DOS COM and EXE files and infects
them. While infecting, the virus encrypts and writes its code to the end of
the file and modifies the file header.

The virus searches for files and infects them in the current directory, in
the parent directories, and in the directory tree on all drives from C: to G:.
The virus checks file names and does not infect: COMMAND, ?GA*, ??NP*,
???GW* files; runs mIRC script infection routine if MI* (MIRC.EXE,
MIRC32.EXE) file is found; corrupts anti-virus files: F-*, TO*, TB*, SC*,
AV* (F-PROT, TBAV, SCAN, AVP) - the virus overwrites them with a code that
displays the message and returns to DOS when an infected file is executed:

~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

The virus also deletes the ANTI-VIR.DAT file if it exists.

Infecting BAT files

The virus also searches for BAT and HTML files and infects them in the same
directories. While infecting BAT files, the virus writes to the end of the
file DOS commands that replace the DOS "dir" command with a set of two
instructions: the first runs a virus dropper PORNO.COM, the second executes
the DOS "dir" instruction. As a result, on any "dir" instruction the virus
dropper is executed.

The virus creates its dropper file PORNO.COM in the Windows Command
directory. To locate this directory the virus tries three variants:


If not one of them is valid, the virus drops this file in the current
directory. The virus then opens the C:AUTOEXEC.BAT file and infects it in
the same way as for other BAT files.

Infecting HTML files

While infecting an HTML file, the virus creates, in the same directory, the
infected dropper with the PATCH.COM name and appends to the end of the HTML
file a short set of HTML commands that display the message:

Download The Latest Patch!
Click Here!

The "Click Here!" is a link that downloads and runs the PATCH.COM virus
dropper, when this link is activated. As a result, infected HTML pages are
"continued" with a virus text that offers to download an upgrade, but spreads
the virus code instead.

mIRC script

The virus looks for an mIRC client installed in the system and creates a new
SCRIPT.INI file in the same directory. The virus looks for mIRC in six
directories and does not drop its mIRC component if none of the
directories is found:


While infecting the mIRC client, the virus uses the same trick as other mIRC
viruses do: it overwrites the standard mIRC script file SCRIPT.INI with
an infected one. When an mIRC client starts with an infected script, it accepts this
file and follows its instructions.

The infected SCRIPT.INI contains several commands. The main one is the
virus-sending instruction: when any user sends/receives any files, the
virus sends to this user its infected dropper file, PORNO.COM.

The virus also sends messages to the channel and users on the channel. When
an infected client connects to an IRC server, the virus sends the message to a
user with the "SeptiC_dm" nickname:

I am your servant! I have been turned into a zealot of darkness

If the "D.Messiah" string appears in a message in the channel the, virus
sends its own message to all users on the channel:

Only in your dreams you can be truly free!
~+DarK.MeSsiAh+~ Written by SeptiC [TI]

On the "666" string, the virus changes the topic of the channel (that is
displayed in the header of the channel window), if the infected user has enough privileges. The new topic string appears as follows:

~+DarK.MeSsiAh+~ a Digital Touch of DarKness! Written by SeptiC [TI]

On the "pray" text, the virus sets the channel operator mode to a user who
posts this text, and sends the message to the channel:

I Obey my master! long live satan

On the "sacrifice" text all infected users are kicked out of the channel
with the message:

Your word is my command, Power to satan!