New Warning ircN/mIRC Backdoor Bug
http://www.irchelp.org/mirc this is a very serious problem.

Important Notice to mIRC Users - ini.script

This ONLY applies to those who use mIRC. If you need answers the BEST place to get them is on #mirc. If you are detected running this script you will be /msged by an op with a warning to leave the channel and fix the problem. If you do not respond you will be /kickbanned. If you return after the ban expires and still have not corrected the problem you will be permanently banned until it is fixed.

People using the popular mIRC shareware program for Web chat are learning first-hand what can happen when the Internet bugs out.

Antivirus researchers at IBM Corp.'s Watson Research

Laboratories described on Tuesday details of a security flaw in the popular program that allows a malicious script file to be sent to users during an online conversation.

"You can use [the hole] to do anything you want to do," said David Chess, a researcher on staff with the antivirus group.

"So far, we have seen the security hole be used to take over chat channels and cause people to say embarrassing things."

Essentially, the hole makes it possible to send files to users in such a way that it becomes part of the mIRC software itself. The files, if they are scripts, can then be executed, enabling the attacker to take over the victim's computer.

The controlled computer can then be made to echo conversations to another channel, quit the chat room, alter its users list, and -- worst of all -- allow someone else access to its hard drive. The script file can also be used to send a copy of itself to another user.

So far, four different scripts exploiting the hole have surfaced-- the most infamous one called SCRIPT.INI.

Over the weekend, the creators of the mIRC program released an updated version [v5.3] with a simple fix that plugs the security hole. The new program gets around the problem by storing downloads and scripts in different folders.

"Hopefully, the new version of mIRC will make the problem go away," said Chess.

If not, another solution may work. As with the "magic bullet" that gene researchers are investigating, Chess said that one of the four scripts -- released courtesy of some smart, anonymous hacker -- blocks all other scripts from being downloaded.

That's kind of like giving the cold a cold.

************************************

This is a log from DalNet:

-*Postal_Phreak*- [Global Notice] Attention mIRC users: If you accepted a file named script.ini from anyone yesterday or today, type /unload -rs script.ini and /remove script.ini. This file is dangerous and should be removed. If you have any questions please /join #kills [No replies please]

** Postal_Phreak :is a registered nick
?309? Postal_Phreak :is a Services Administrator
** Postal_Phreak is 54542353@hebron.in.us.dal.net (¤ Jinxi's Posty ;) ¤)
** Postal_Phreak :is a registered nick
** Postal_Phreak is on IRC via server hebron.in.us.dal.net (DALnet's very own rent-a-cow service!)
Postal_Phreak is an IRC Operator
** Postal_Phreak has been idle for 27 seconds
** Postal_Phreak signed on at Wednesday, November 26, 1997 2:28:35 PM

(ircops generally don't make jokes like this, so the person who sent me the log, who is an op on #submission and also an ircop on another net went to #kills and logged this)

Log file opened at: 11/26/97 4:01:42 PM

** Topic for #kills: Information on script.ini Its NOT a virus DO NOT ASK for it or /msg the ops. Please read the info provided

RaGe: if you have, or run script.ini you WILL be killed untill its removed.. if you ARE killed for running it, please type: /unload -rs script.ini to remove it

GunLove: The script.ini IS NOT A VIRUS! works as following, you get the file script.ini sent to you via DCC when you join a channel. It works like an fserve and will let people get your system.cb from windows on demand. You will also dcc send the script to anyone that joins the channles you are on. To fix this disconnet, then type /remote off. Once you have done that find the script.ini and check to see if yoiu have it. If you do DELETE it immediatly.

GunLove: THIS SCRIPT IS ACTUALLY A BACKDOOR. All the information can be seen is a specified channel. Anything you say or do in can be seen.

GunLove: The script.ini does a couple of things 1) it is only for mIRC 2) it will make you dcc it to anyone that joins a channel you are on. 3) people can get your your mIRC dir and win95 system.cb if they kow the command. 4) they can cause you to QUIT with the right command as well. REMEMBER this is not a virus per say, but a security risk to your computer passwords.

GunLove: The remedy to this script is to 1) NEVER EVER Accept a DCC from someone you do not know

GunLove: Disconnect and type: /remote off

GunLove: Take youir DCC off autoaccept

GunLove: Look in your mIRC DIR for script.ini

GunLove: If you have this line: ON 1:TEXT:*Acorag****:# ( deleted) Then you have the script.ini

GunLove: delete that file immediatly.

RaGe: IF you see someone trying to send you script.ini on joining a channel.. please tell them to type: /unload -rs script.ini

glorious: REMEMBER: NEVER accept dccs from someone you don't know to turn off auto dcc do the following: 1, go to dcc on the upper left hand of your window, click on options, and make sure autoget is off!!!! thankyou

glorious: The script.ini IS NOT A VIRUS! works as following, you get the file script.ini sent to you via DCC when you join a channel. It works like an fserve and will let people get your system.cb from windows on demand. You will also dcc send the script to anyone that joins the channles you are on. To fix this disconnet, then type /remote off. Once you have done that find the script.ini and check to see if yoiu have it. If you do DELETE it immediatly.-

Log file closed at: 11/26/97 4:03:39 PM

Remember, for help go to #mirc and do NOT accept /dcc's from strangers.