What is Script.ini?
SCRIPT.INI
Is an mIRC script that is currently circulating the major IRC networks at epidemic proportions.
It is filled with commands to allow others to control your IRC session,
watch your conversations, and disrupt your IRC session.
It takes advantage of two potential security holes in the mIRC client, auto-DCC-get,
and the automatic execution of files named SCRIPT.INI in the mIRC directory.
Is SCRIPT.INI a virus?
SCRIPT.INI is not a virus.
Viruses reproduce on their own. SCRIPT.INI has to be willingly accepted by its host
before reproducing. Even though it most commonly is transmitted over auto-DCC-get,
since users have to turn on auto-DCC-get, it is not reproducing "on its own".
Is SCRIPT.INI a trojan horse?
It could be considered a trojan horse.
In the case where a user sees someone sending them a script,
and runs the script without examining it first to see what it does,
SCRIPT.INI acts as a trojan horse. However, in the case of it
being received with auto-DCC-get, it is not a trojan horse.
Are any other IRC clients vulnerable to SCRIPT.INI?
SCRIPT.INI itself is in mIRC's scripting language, so only mIRC is vulnerable to this particular script. However, this sort of exploit has been used for years against the Unix IrcII client (as well as a similar exploit that would allow an intruder to log in to your account without a password). Now thatsomeone has had this amount of success in circulating a backdoored script, it could be expected that versions for other popular clients will soon appear.
The directions below for prevention should be taken into consideration by all IRC users.
Diagnosing Script.ini in your System
Type all the following lines
in any window in mIRC OTHER THAN STATUS WINDOW. i.e. a
#channel or message window of a friend helping you with this.
NOTE IF YOU ARE NOT RUNNING mIRC DO A SEARCH FOR THE
FILENAMES IN FIND IN WINDOWS INSTED
YOU MUST GET THE FILENAMES AND COMMANDS CORRECT.
If you get an error in status for any of these you have typed the command wrong correct it and try again.
type /alias /say
type //say $findfile(c:\,script.ini,0) this will probably give you a 1?
if it does then return 1 or more if this returns a 0 check that you have done the right command
then goto step 8.
type /alias /play
type //play $findfile(c:\,script.ini,1) 2000
should this command produce a heap of lines
[script]
n0=WHATEVER IT SAYS HERE
n1=WHATEVER IT SAYS HERE
etc etc....
if there is a heap of lines spewing out and they arent all empty lines example ONLY YOUR
ACTUAL ONE WILL PROBABLY BE DIFERENT
[script]
n0=on 1:START:{
.sreq ignore
n1= .remote on
n2= titlebar (Not connected)
n3= }
n4=raw 401:*: {
n5= halt
n6=}
n7=RAW 001:*:titlebar (Connecting to $server $+ )
*** NOTE THE PREVIOUS WAS ONLY AN EXAMPLE OF ONE TYPE OF SCRIPT VIRUS ***
*** IF INFECTED YOU WILL PROBABLY GET DIFFERENT LINES THERE BUT NOT EMPTY ****
IF THIS IS SO then you are probably infected with a script.ini virus if n0= is blank and there
are no other n?= lines with anyting in them then your probably safe and not infected by script.ini
virus goto step 8
MANUAL FIX
1. type /alias /remote
2. type /remote off
3. type /alias /unload
4. type /unload -rs script.ini
5. type /alias /remove
6. type /run attrib -r script.ini
7. type /run attrib -h script.ini
8. type /remove script.ini
9. type /alias /say
10. type //say $findfile(c:\,script.ini,0) IF YOU GET 0 then YOUR FIXED if you dont goto step 1 again
11. type /remote on
12. type /sreq ask
(
geocities.com/timessquare/alley) (
geocities.com/timessquare)