Are you looking for SCRIPT.INI worms?

How DMSETUP viruses work

Someone sends you an EXE file with an enticing name. You run the file and it checks for mIRC. If mIRC isn't found, most of them create many folders with strange names. It creates a new INI file in your mIRC directory that tells mIRC to spread the virus. Then it makes a backup of your MIRC.INI file and overwrites it with a MIRC.INI file that will load the new INI file. The virus will then copy itself to several directories on the hard drive. Then they will add themselves to AUTOEXEC.BAT. Then they display some simple graphics, print some fake error messages and exit. Now if someone joins a channel you are on you will send the EXE file to them. To get rid of the DMSETUP virus under Windows 95/98:

Close mIRC if it is open.
Get an antivirus program. AVP and F-Prot are the best at removing mIRC viruses. Deleting is the proper way to remove the Dmsetup virus files. The reason that I recommend using an antivirus program is that conventional viruses sometimes attach to Dmsetup viruses. I have seen Die-Hard.4000 and Spanska.4250 attached to Dmsetup viruses.
Navigate to your Mirc folder.
Choose Folder Options from the View menu, click the View tab, then click "Show all files".
Select either BAKUPWRKS.INI or BACKUP0412.INI.
Rename it to MIRC.INI.
Navigate to the root directory of drive C:.
Delete CONFIGG.SYS (not CONFIG.SYS) if it exists.
Delete LOGOX.SYS if it exists.
Delete TAGED.LMR if it exists.
Right-click AUTOEXEC.BAT
Choose edit.
Delete the very last line if it loads the virus that you have.
Also delete the second last line if it refers to the virus that you have.
Save and Exit AUTOEXEC.BAT.
The rest are only if there are many strangely-named directories you want to delete
If there are strangely named directories, go to the DOS Prompt.
Type
```
CD\
```
If there are only a few strange directories, you can replace the strange character with "?" For example
```
DELTREE SUCK?IT
```
```
DELTREE ?DM2?YF
```
Otherwise, type
```
DELTREE *[ALT-255]*
```
Hold down ALT and type 255 on the numeric keypad to make the [ALT-255] character. The stars should be typed in but not the square brackets.
Only answer yes to directories you are sure you want to delete.
When done, type
```
EXIT
```

You should also never accept DCCs that you didn't request.

Please e-mail me if you have any questions, virus samples, suggestions, or comments. Let me know if you find this page useful.

So far, there are at least 6 DMSETUP viruses. None of the Dmsetup viruses I have seen modify the registry or CONFIG.SYS, or delete any files. There are other Dmsetup viruses, but I don't have samples of them. If you have a sample of a Dmsetup vrus not on this list, please send it to me. The names are based on AVP names. The first part of the name is the type(Worm) the second is Dmsetup. The third part is lettering them A,B,C...

Worm.Dmsetup.a It is 87540 bytes long. There are truncated versions of this, 32256, 38194, 39936 and 57556 bytes long There is another one 57556 bytes long except "DMsetup" has been changed to "Nukings" that work the same as the original. It runs the commands:
```
copy DMsetup.exe c:\
copy DMsetup.exe c:\mirc
copy DMsetup.exe c:\windows
copy DMsetup.exe c:\progra~1
cd\mirc
copy mirc.ini backup0412.ini
```
It adds dmsetup to AUTOEXEC.BAT. It creates a file called CONFIGG.SYS containing the text "ni!". It creates a file called c:\mirc\mirc.ini. It creates a mircrem.ini file that:
Sends the file DMSETUP.EXE to whoever joins.
If someone sends a notice saying "goawaysilly" it quits all channels with the message "'tis to I who seem so sad."
Worm.Dmsetup.c It is 81084 bytes long. There are truncated versions 50780, 53760, 56832, 74752 and 77824 bytes long that work the same as the original. It is an EXE file. It is named with a random picked name from words like:
```
BUNY
LOVE
INST
MIRC
POWR
NUKE
HELL
PUSY
DICK
FUCK
SEX
TOE
PEE
GOD
FUN
ICQ
IRC
JNK
UDP
LIM
SET
CFG
TIT
69
101
YES
ARM
311
BUD
EAT
```
When it is run, it displays multicolored circles. Then it displays "cannot find vital data." It adds the command
```
[Name of file] -inauto
```
to autoexec.bat. The command "-inauto" prevents the circles from displaying. It runs the commands where %s is the random picked name:
```
copy c:\mirc\mirc.ini c:\mirc\bakupwrks.ini
copy %s c:\%s.exe
copy %s c:\windows\%s.exe
copy %s c:\mirc\%s.exe
copy %s c:\windows\system\%s.exe
copy %s c:\YOUARENOTSURPOSEDTOBELOOKINGATTHIS\%s.exe
copy %s c:\progra~1\%s.exe
copy %s c:\dos\%s.exe
copy %s c:\quake\%s.exe
copy %s c:\DOOM\%s.exe
copy %s c:\DOOM2\%s.exe
copy %s c:\GAMES\%s.exe
copy %s c:\PICS\%s.exe
copy %s c:\ÿDM2IYF\%s.exe
copy %s c:\SUCKÿIT\%s.exe
```
If you run it with the "-help" parameter, it displays: "Call 911!" "What do you mean by what is the number?!" I contains the text: "ni! icke icke icke-poo!"
It creates a file called c:\mirc\mirc.ini. It creates a random named INI file that:
Sends the EXE to whoever joins.
Leaves the channels #nohack, #irchelp, #mirchelp, #operhelp, #help, #helpdesk, #help-desk, #helpcenter, and #dalnethelp.
If someone sends a notice saying "I hate your guts with a passion", It quits with the message "Waa! Some one told me off. }DM2{".
If someone sends a notice saying "I think you are cool" it turns c:\ into an fserve.
If someone sends a notice saying "gerr" it says "I like to lick my own ass hole"
If someone sends a notice saying "gerrrr" it says "love to lick my own ass hole"
If someone sends a notice saying "you suck" it says "I sucked your dad's cock twice."
One line is commented out with the text: "command to brutal!"
If someone sends a notice saying "ni!" it quits all channels.
It contains the comment "Dmsetup2"
Worm.Dmsetup.d It is 82136 bytes long. There is a truncated version 81408 bytes long that work the same as the original. There is a version 86136 bytes long infected with the Die-Hard.4000 virus. It is an EXE file. It is named with a random picked name from words like:
```
BUNY
LOVE
SEX
BLOW
PEE
INST
GOD
FUN
ICQ
IRC
MIRC
POWR
EYE
NUKE
UDP
PORN
SET
CFG
HELL
PUSY
TIT
DICK
691
01
YES
ARM
311
FOaM
FUCK
EAT
TOE
JNK
CANDY
DoD
DINK
BUZZ
SKIN
```
When it is run, it displays multicolored circles. Then it displays "START UP ERROR: Can not find vital data!" "Attempting safe close down (This may take several minuets).." "25%% done" "100%% Done!" "Safe recovery succsessful!"
It adds the commands where %s is the random name
```
copy c:\windows\logox.sys c:\windows\%s.exe
c:\windows\%s.exe -inauto
```
to autoexec.bat. The command "-inauto" prevents the circles from displaying. It runs the commands where %s is the random picked name:
```
copy c:\mirc\mirc.ini c:\mirc\bakupwrks.ini
copy %s c:\%s.exe
copy %s c:\windows\%s.exe
copy %s c:\mirc\%s.exe
copy %s c:\windows\system\%s.exe
copy %s c:\CODEDBYTHECREATOR\%s.exe
copy %s c:\progra~1\%s.exe
copy %s c:\dos\%s.exe
copy %s c:\quake\%s.exe
copy %s c:\DOOM\%s.exe
copy %s c:\DOOM2\%s.exe
copy %s c:\GAMES\%s.exe
copy %s c:\PICS\%s.exe
copy %s c:\WINDOWS\FREEPORN.EXE
copy %s c:\WINDOOM.EXE
copy %s c:\windows\logox.sys
```
If you run it with the "-help" parameter, it displays: "Hint: ALT+0255 Micro$oft bug.. Micro$oft Sucks." "This computer is/has been infected by DMsetup2 4.2 (AKA The Shape Shifter) This is a lame 'virus' that exploits a bug in mIRC." "Khaled Mardam-Bey, Okay, you put up a notice.. that works. But I think by changing the way mIRC works it wouldn't be as eassy to hack. *hint* don't use external data files!"
It creates a file called c:\mirc\mirc.ini.
It creates a random named INI file that:
Sends the EXE to whoever joins.
Leaves the channels #nohack, #irchelp, #mirchelp, #operhelp, #help, #helpdesk, #help-desk, #helpcenter, and #dalnethelp.
If someone sends a notice starting with "#" it joins that channel,
If someone says "You are a lamer" it sends them the message "I am a lamer!"
If someone sends a notice saying "gohome" it joins#teens, #teenchat, #teen, and #teensex.
On connecting or joining #dalnethelp it changes your nick to a random one.
If someone sends a notice saying "I hate your guts with a passion", It quits with the message "Waa! Some one told me off. }DM2{".
If someone sends a notice saying "I think you are cool" it turns c:\ into an fserve.
If someone sends a notice saying "gerr" it says "I like to lick my own ass hole"
If someone sends a notice saying "gerrrr" it says "love to lick my own ass hole"
If someone sends a notice saying "you suck" it says "I sucked your dad's cock twice."
One line is commented out with the text: "command to brutal!"
If someone sends a notice saying "ni!" it quits all channels.
It contains the comment "Dmsetup2 ( AKA The Shape Shifer )"
Worm.Dmsetup.e It is 54784 bytes long. There is a truncated version 43520 bytes long that works the same as the original. It is an EXE file. It is named with a random picked name from words like:
```
BUNY
LOVE
INST
MIRC
POWR
NUKE
HELL
PUSY
DICK
FUCK
SEX
TOE
PEE
GOD
FUN
ICQ
IRC
JNK
UDP
LIM
SET
CFG
TIT
69
101
YES
ARM
311
BUD
EAT
```
When it is run, it displays multicolored circles. Then it displays ERROR: expected Voodoo or 3DFX It adds the command
```
[Name of file] -inauto
```
to autoexec.bat. The command "-inauto" prevents the circles from displaying. It runs the commands where %s is the random picked name:
```
copy c:\mirc\mirc.ini c:\mirc\bakupwrks.ini
copy %s c:\%s.exe
copy %s c:\windows\%s.exe
copy %s c:\mirc\%s.exe
copy %s c:\windows\system\%s.exe
copy %s c:\YOUARENOTSURPOSEDTOBELOOKINGATTHIS\%s.exe
copy %s c:\progra~1\%s.exe
copy %s c:\dos\%s.exe
copy %s c:\quake\%s.exe
copy %s c:\DOOM\%s.exe
copy %s c:\DOOM2\%s.exe
copy %s c:\GAMES\%s.exe
copy %s c:\PICS\%s.exe
```
If you run it with the "-help" parameter, it displays: "Call 911!" "What do you mean by what is the number?!" I contains the text: "ni! icke icke icke-poo!"
It creates a file called c:\mirc\mirc.ini. It creates a random named INI file that:
Sends the EXE to whoever joins.
Leaves the channels #nohack, #irchelp, #mirchelp, #operhelp, #help, #helpdesk, #help-desk, #helpcenter, and #dalnethelp.
If someone sends a notice saying "I hate your guts with a passion", It quits with the message "Waa! Some one told me off. }DM2{".
If someone sends a notice saying "I think you are cool" it turns c:\ into an fserve.
If someone sends a notice saying "gerr" it says "I like to lick my own ass hole"
If someone sends a notice saying "gerrrr" it says "love to lick my own ass hole"
If someone sends a notice saying "you suck" it says "I sucked your dad's cock twice."
One line is commented out with the text: "command to brutal!"
If someone sends a notice saying "ni!" it quits all channels.
It contains the comment "Dmsetup2"
If someone sends a notice starting with "c" it runs the command that comes after it.
Worm.Dmsetup.f It is 81560 bytes long. There are truncated versions 48640 and 54013 bytes long that work the same as the original. It is an EXE file. It is named with a random picked name from words like:
```
BUNY
LOVE
INST
MIRC
POWR
NUKE
HELL
PUSY
DICK
FUCK
SEX
TOE
PEE
GOD
FUN
ICQ
IRC
JNK
UDP
LIM
SET
CFG
TIT
69
101
YES
ARM
311
BUD
EAT
```
When it is run, it displays multicolored circles. Then it displays "START UP ERROR: Can not find vital data!" "Attempting safe close down (This may take several minuets).." "25%% done" "65%% done" "100%% Done!" "Safe recovery succsessful!" It adds the command
```
[Name of file] -inauto
```
to autoexec.bat. The command "-inauto" prevents the circles from displaying. It runs the commands where %s is the random picked name:
```
copy c:\mirc\mirc.ini c:\mirc\bakupwrks.ini
copy %s c:\%s.exe
copy %s c:\windows\%s.exe
copy %s c:\mirc\%s.exe
copy %s c:\windows\system\%s.exe
copy %s c:\YOUARENOTSURPOSEDTOBELOOKINGATTHIS\%s.exe
copy %s c:\progra~1\%s.exe
copy %s c:\dos\%s.exe
copy %s c:\quake\%s.exe
copy %s c:\DOOM\%s.exe
copy %s c:\DOOM2\%s.exe
copy %s c:\GAMES\%s.exe
copy %s c:\PICS\%s.exe
copy %s c:\ÿDM2IYF\%s.exe
copy %s c:\SUCKÿIT\%s.exe
```
If you run it with the "-help" parameter, it displays: "Call 911!" "What do you mean by what is the number?!" It contains the text: "ni! icke icke icke-poo!"
It creates a file called c:\mirc\mirc.ini.
It creates a random named INI file that:
Sends the EXE to whoever joins.
Leaves the channels #nohack, #irchelp, #mirchelp, #operhelp, #help, #helpdesk, #help-desk, #helpcenter, and #dalnethelp.
If someone sends a notice saying "I hate your guts with a passion", It quits with the message "Waa! Some one told me off. }DM2{".
If someone sends a notice saying "I think you are cool" it turns c:\ into an fserve.
If someone sends a notice saying "gerr" it says "I like to lick my own ass hole"
If someone sends a notice saying "gerrrr" it says "love to lick my own ass hole"
If someone sends a notice saying "you suck" it says "I sucked your dad's cock twice."
One line is commented out with the text: "command to brutal!"
If someone sends a notice saying "ni!" it quits all channels.
It contains the comment "Dmsetup 2 ( AKA The Shape Shifer )"
If someone sends a notice starting with "c" it runs the command that comes after it.
If someone says "You are a lamer" it sends them the message "I am a lamer!"
If someone sends a notice saying "gohome" it joins #teens, #teenchat, #teen, and #teensex.
Worm.Dmsetup.g It is 81440 bytes long. There are truncated versions 50144, 52224 and 74963 bytes long that work the same as the original. It is an EXE file. It is named with a random picked name from words like:
```
BUNY
LOVE
INST
MIRC
POWR
NUKE
HELL
PUSY
DICK
FUCK
SEX
TOE
PEE
GOD
FUN
ICQ
IRC
JNK
UDP
LIM
SET
CFG
TIT
69
101
YES
ARM
311
BUD
EAT
```
When it is run, it displays multicolored circles. Then it displays: START UP ERROR: Can not find vital data! Attempting safe close down (This may take several minuets).. 100%% Done! Safe recovery succsessful! It adds the command
```
[Name of file] -inauto
```
to autoexec.bat. The command "-inauto" prevents the circles from displaying. It runs the commands where %s is the random picked name:
```
copy c:\mirc\mirc.ini c:\mirc\bakupwrks.ini
copy %s c:\%s.exe
copy %s c:\windows\%s.exe
copy %s c:\mirc\%s.exe
copy %s c:\windows\system\%s.exe
copy %s c:\YOUARENOTSURPOSEDTOBELOOKINGATTHIS\%s.exe
copy %s c:\progra~1\%s.exe
copy %s c:\dos\%s.exe
copy %s c:\quake\%s.exe
copy %s c:\DOOM\%s.exe
copy %s c:\DOOM2\%s.exe
copy %s c:\GAMES\%s.exe
copy %s c:\PICS\%s.exe
```
If you run it with the "-help" parameter, it displays: "Call 911!" "What do you mean by what is the number?!" I contains the text: "ni! icke icke icke-poo!"
It contains the following c:\mirc\mirc.ini: None of these commands are harmful so I include the whole thing. It creates a random named INI file that:
Sends the EXE to whoever joins.
Leaves the channels #nohack, #irchelp, #mirchelp, #operhelp, #help, #helpdesk, #help-desk, #helpcenter, and #dalnethelp.
If someone sends a notice saying "I hate your guts with a passion", It quits with the message "Waa! Some one told me off. }DM2{".
If someone sends a notice saying "I think you are cool" it turns c:\ into an fserve.
If someone sends a notice saying "gerr" it says "I like to lick my own ass hole"
If someone sends a notice saying "gerrrr" it says "love to lick my own ass hole"
If someone sends a notice saying "you suck" it says "I sucked your dad's cock twice."
One line is commented out with the text: "command to brutal!"
If someone sends a notice saying "ni!" it quits all channels.
It contains the comment "Dmsetup 2 ( AKA The Shape Shifer )"
If someone says "You are a lamer", it sends them the message "I am a lamer!"
If someone says "gohome", it joins #teens, #teenchat, #teen, and #teensex.

Virus Page