IRC-Worm.Pron.57
Details
IRC-Worm.Pron.576
This is an IRC worm that spreads through IRC channels using mIRC client for spreading. The worm is encrypted and has a very short size - just about 600 bytes, and appears as the PR0N.BAT file. When this file is executed on a computer, it copies itself with the PR0N.COM file and executes it as a DOS program. The worm code is built so that it can be executed as a DOS COM file as well as a DOS Batch, so the main worm routine (as a COM program) gains control and installs the worm into the system.
To infect the system, the worm uses a very silly way: it just copies its BAT file with the same name to the Windows system directory by using its direct name C:\WINDOWS\SYSTEM. If Windows is installed in any other directory, the worm fails to install itself. The worm then creates the WINSTART.BAT file and overwrites its with worm’s code.
To spread itself via IRC channels, the worm overwrites SCRIPT.INI in the mIRC directory. The worm searches for this directory by four variants:
C:\MIRC
C:\MIRC32
C:\PROGRA~1\MIRC
C:\PROGRA~1\MIRC32
The worm’s script is very short and just sends the worm’s BAT file to all users joining an infected channel.
The worm also contains the “copyright” text:
IRC-pr0n.bat v1.0 (c) nUcLeii 1999
Related Posts