[General] Security Note - A nasty old IRC Worm is back

Ask your general or IRC related questions.
Posts: 3

[General] Security Note - A nasty old IRC Worm is back

Post by DJValentine »

Issue description
It is already been known as recently, about a week ago the nasty IRC Wor, the girl claiming to be a gril with the ASL "23\f\Anover" is haunting undernet's big channels again. Due to this make sure you add a little extra security to yourself and think before you accept anything from everyone.

General description of the nicks u should be extra carefull about
A girlnameAge nickname, with a girlnameAge ident and a girlname realname, all three used with no capital letters.
~ ex: Marcia82 is Marcia82!natalie32@hostname.domain natalie
In most of the cases the real name matches the ident and the number present in nickname and ident is formed of 2 characters. See the example above "82 and 32"

Short Story presented bellow. READ !!!
Illustrating the Dangers of IRC
by Joe Stewart, Senior Security Researcher at LURHQ

Consider the following scenario. One of your users (we'll call him Harry) is on his lunch break and wants to stop in his favorite chat room and talk about his morning so far. He connects to the Undernet Internet Relay Chat (IRC) network and joins the chat room called "#channel". Today he notices a new user sitting in the chat room who goes by the nickname Marcia82. Their conversation goes as follows:

[Marcia82] hi :)
[Harry] Hi there :-)
[Marcia82] how are you?
[Harry] I'm fine. How are you today?
[Marcia82] 23/f/Anover
[Harry] 29/m/NYC
[Marcia82] do u have a pic? this is mine

With that, a window pops up on Harry's screen offering a file transfer from Marcia82 - a file named "Old-me.zip". Harry accepts the download, anxious to see a picture of the young woman he has been chatting with. He unzips the file and finds a single file inside, named "Old-me.scr". Harry is unfamiliar with that filename extension. He knows he should not run suspicious EXE files, but what is an SCR file? He decides it must be some kind of image file like a JPEG or GIF, but to be on the safe side, he decides to scan it with his desktop antivirus scanner just in case. He checks to make sure that the virus definitions are current. They were updated an hour ago, so he proceeds with the scan of the file. It comes up clean. Thinking the file is safe to open, he double-clicks the icon.

An Internet Explorer window opens on his desktop and displays a normal picture of a somewhat bored-looking young woman staring at her web cam. Harry decides to continue the conversation, but Marcia82 is no longer talking. Thinking she must have stepped away from the keyboard, Harry finishes his tuna-salad sandwich while waiting. When lunch is over, Harry says a final "See you later" in the chat window before shutting it down and getting back to filing his daily reports.

What Harry doesn't know is that he is now infected by a backdoor Trojan. Is Marcia an evil hacker? No, Marcia is a worm - a malicious program, which spreads from computer to computer on its own. In this case it uses social engineering to fool the user into thinking they are chatting with a real human being. Once the program is run, Harry's computer connects to IRC on its own and assumes the identity of Annie93. Harry's computer now lies in wait for more victims to prey upon. The hackers that control all the infected hosts from a secret chat room on the IRC network can now download additional remote-control programs to Harry's computer. They can read his files and email, sniff the network traffic, disable his antivirus software, delete files, or anything else they desire. For all intents and purposes, now they can utilize your internal network as if they were Harry.

This is not a made-up scenario; this is a real worm, which is spreading on IRC right now. The antivirus companies are not able to keep up with the number of variants being released every day. Unlike your average email virus, being up-to-date on your virus definitions won't stop this. Unlike the latest Internet Explorer exploits, being up-to-date on your patches won't stop this. The only thing stopping IRC users on your network from being infected is their own level of expertise. Ask yourself, would your users be taken in by the conversation above, or would they recognize the malicious intent?

Sometimes, but not very often, when LURHQ is integrated into a new network, we discover a very lax outbound policy on the firewall. In these cases employees are allowed to use any port or protocol outbound. The idea of keeping the "bad guys" out while allowing the "good guys" full access is archaic at best and is a dangerous proposal indeed. If you are allowing full outbound access for your users, you are at risk from the scenario above, which is just one of many. The moral of the story is stay abreast of the latest threats, define strict firewall rule-sets and work to raise the security awareness inside your organization

User avatar
Posts: 408
Location: Southeast Asia, Philippines

Post by lemuel »


That's another story of a so called 'worm'. Afaik, lots of users doesn't know some file extensions and that's why they get infected thru it. This is not a simple problem on new irc comers.. not even know whom they're chatting with (except for those knowledgeable users). There are lots of SPAM spreading today and I encounter just like this (sending you files).

SCR ( .SCR ) - File Extension Information
Extension: SCR ( . SCR )

SCR is the file extension for the Screensaver file format associated with Microsoft.

It is a copy of the worm within the a ZIP file (may be doubtly ZIPped). In this case the file extension is .ZIP

The moral of the story is stay abreast of the latest threats, define strict firewall rule-sets and work to raise the security awareness inside your organization

Right, everyone's level of expertise takes place when it comes to this situation. Why should accept files from users whom you don't know? oh yeah 'newbies' do that always.. first thing first: NEVER ACCEPT FILES FROM USERS WHOM YOU DON'T KNOW unless if you know what you're doing or you may try at your own risk.

I love Maria Katrina Rey

Posts: 3

Post by DJValentine »

Its not another story. Its a reality happening these days on Undernet.

This post is ment to be a security issue as we are informing operators of other big channels to spread the news in their channel and inform their users and take measures.

Its the least we can do.

Posts: 1

Post by fox3311 »

well thank u guys - this makes sense - ive been noticing the same issue for a week now - i ve posted in many forums as i can - we need to make many users aware of this worm .

Be Gud!

Posts: 206
Location: bucharest

Post by Irku »

yo DJ that lame thingie u call worm is lame & old school. IRC is used to that. Most users don't ever get infected by old school crap. Btw there are lots of ppl capable of writing such stuff. Including me. I could make that girl have really hot nicknames, or even have a little chat with u before sending the ZIP. And of course, it will spread itself on lame computers all over the net. Not more than a few hundreds lame computers, though.


User avatar
Posts: 164
Location: Bucharest, Romania

Post by YounGun »

There is nothing new about this.
This worm was never gone, but the clients infected with it has decreased - it still exists though

Posts: 3

Post by DJValentine »

I would say the number of infected hosts exploded in the past week, since I have more then 1000 bans in my eggdrop's list for the channel in 8 days. :devil:

... and it keeps growing fast - about 100 - 200 new hosts/day :(

Maybe its a new version of the virus. As descirbed in the primary post, multiple versions of this IRC Worm exist, so its quite possible a new one being developed and being put into action.

This one is sent under an archive (dont know yet) named "julyjuly.zip" which is trying to be dcc sent to you by the worm/infected host.

Maybe there isnt even a cure for it yet. Im tempted to infect one of my pc's to see if there is an antidote for it. I dont know its a bit risky, I'll see about it.

So untill we see signs of regresion all we can do is inform newbies, chan managers, ops, users of big channels (which are mostly afected) about this matter, through this post/security note. :)

User avatar
Posts: 164
Location: Bucharest, Romania

Post by YounGun »

Ban infected clients and send them to #dmsetup or #vh for clean-up

User avatar
Posts: 760
Location: Romania

Post by sirAndrew »

Topic moved to a proper Section.
sirAndrew @ Undernet.org

8 years on this forum and i'm still the #1 poster around.