On Windows NT/2000/XP: Task Manager reveals TWO processes named "taskmgr.exe" (one is the actual Task Manager and the other is a hidden instance of mIRC).
1) Close ALL mIRC instances
2) Run the removal tool
3) Reboot windows
BitDefender Virus Research Lab
This IRC backdoor has been sent to many addresses in email messages like the following:
From: "The Company Of BitDefender"
Subject: BitDefender Company
Date: Tue, 18 Jan 2005 05:30:14 -0800
We send you the best antivirus BitDefender ... please copy the software and have more security
on your computer;
Please copy this product from http://www.[...].ro/ and send us an email at
firstname.lastname@example.org and we can give you your cdkey product to register it!
Download Link1 : http://www.[...].ro/Film.exe
Download Link2 : http://www.[...].ro/Poze.exe
Greetings Tnx to : John Myle , Goordon Freeman & Bitman Forgivn
Film.exe is a WinRAR self-extract archive; when run, it extracts mIRC (a popular IRC client), the evil mIRC scripts and two DLL's (one for encryption/decryption and one for process/window hiding) in C:\WINDOWS\inf\digital, runs the extracted file taskmgr.exe (mIRC) and hides its window and its process (from Windows 9x Task Manager).
The scripts cause mIRC to connect to Undernet (with a nick chosen randomly from a list in nick.db and a hardcoded name that advertises a website) and join two channels; it accepts commands from an authenticated user; these commands include:
- setting voice/op/ban rights for other users on specified channels;
- sending messages to other uses;
- even a "help" command that reports the accepted commands.
The script also modifies win.ini to run the perverted mIRC at startup.
Most of the nicks in the list are Romanian. Texts in the script are in Romanian. The people on the channels joined by the infected users are Romanian. The origin is obvious.