|
Dmsetup
The "dmsetup.exe" file is a trojan/worm which passes itself from one mIRC user's computer to the next by infecting the mirc.ini file and other files in their computers. It does this by changing mIRC remote scripts and thereby sending itself to anyone joining the channel the infected mIRC user is in. This is done with the IRC file transfer protocol DCC.
There are a lot of different filenames being used to circulate the "dmsetup.exe" worm. You should be suspicious of any file you are sent with a .exe extension. The chances are it is "dmsetup.exe" which has been renamed; in addition some variants of this worm change its own name with every infection. In this document the worm will only be referred to as DMSetup.
Indications of infections
There are some obvious clues.
-Your popups and scripts have changed.
-You are unintentionally dcc-ing files to people.
-Your username has changed, and now you have a username of "s": for example, your /whois address used to be myname@internet.provider.com and now it's s@internet.provider.com
When you run the infected file, the file will:
-Edit Autoexec.bat so that the infected file is run every time you start the PC.
-Create a configg.sys file that says NI! (the file is 5 bytes)
-Copy itself to C:\, C:\Windows\, C:\Mirc\ and C:\program files\
-Edit script.ini to autosend on joins to channels.
-Edit remote.ini to quit a channel leaving a message behind: "'tis to I who seem so sad".
-Copy mirc.ini to backup0412.ini
-Create a new mirc.ini, which will load mircrem.ini
-Disable fserve warnings
-Displays error type 0 (so that you think the download is broken).
-It enables listening for fserve, send and chat, and sets port to 59
The new mirc.ini installed by dmsetup.exe will:
-verwrite your old settings, remove notify & channel lists, etc
window fonts will be back to default Fixedsys
your sign-on nick will be "a", userID and full name field "s".
the dccserver will be enabled for chat, send, and fserve,
this will allow outsiders to access your hard drive
fserve warning will be disabled, and the root directory will be c:\mirc\
cause you to send the dmsetup.exe file to other people
cause you to quit IRC if sent a /msg with the word "goawaysilly"
quit message will be "'tis to I who seem so sad"
some versions will allow others to run executables on your computer
some versions will disable you from going to channels #nohack, #irchelp, #mirchelp, #operhelp, #help, #helpdesk, #help-desk, #helpcenter and #dalnethelp
some versions will cause you to quit if you are /notice'd with "I hate your guts with a passion"
some versions will cause you to say silly things on the channel.
In rare cases, if the DMSetup worm can't install properly it will do a rather destructive action. It will show a display of multicolored rings and circles in a screensaverlike fashion. While it does this, it fills the hard disk with directories that have garbage names and are difficult to remove again
Removal
To fix this problem, there are two main scenarios, depending on whether you have mIRC in the C drive or not.
If you have mIRC installed on your c: drive
Unload mircrem.ini by typing /UNLOAD -RS MIRCREM.INI in any mIRC- window
Open C:\AUTOEXEC.BAT with notepad and remove the DMSetup line - save and exit
Delete the following files:
C:\DMSETUP.EXE
C:\CONFIGG.SYS
C:\MIRC\DMSETUP.EXE
C:\MIRC\MIRCREM.INI
C:\MIRC\BACKUP0412.INI
C:\WINDOWS\DMSETUP.EXE
C:\PROGRAM FILES\DMSETUP.EXE
C:\MIRC.INI
If you do not have mIRC installed on your c: drive
Open C:\AUTOEXEC.BAT with notepad and remove the DMSetup line - save and exit
Delete the following files
C:\DMSETUP.EXE
C:\CONFIGG.SYS
C:\MIRC
C:\WINDOWS\DMSETUP.EXE
C:\PROGRAM FILES\DMSETUP.EXE
|
|
