A DC++ Virus and Its Block

GeceBekcisi · 29 May, 2005, 10:00:09

I found something, and I think you all need to know; and help me and others to prevent this virus kinda thingy from spreading.

I thing a virus thing affects DC++. It changes DCPlusPlus.xml as

none
myemail@host.com
mynick
MS Shell Dlg,-11,400,0
....
0.401
1
....

C:\WINDOWS\system32\msview

and maybe more but i couldnt find other changes.. But I see it changes most of DC++ preferences..

This shared directory seems to be a windows system sub directory but it contains files named like "NFS Game Crack" and all of them are viruses! I dunno any AntiVirus covers these yet.

So,

I need a script that blocks

"none" in Description and/or "myemail@host.com" in EMail and/or "mynick" in Nick.

Thanks.
GeceBekcisi

jiten · 29 May, 2005, 14:47:18

Give this a try:

MyINFOArrival = function(curUser, sData)
	if string.find(curUser.sEmail, "myemail@host.com") or string.find(curUser.sName, "mynick") and string.find(curUser.sDescription, "none") then
		curUser:Redirect(frmHub:GetRedirectAddress(),"Your DC++ system is infected by a virus. Please clean it!")
	end
end

Best regards,

jiten

GeceBekcisi · 29 May, 2005, 15:05:54

if string.find(curUser.sEmail, "myemail@host.com") or string.find(curUser.sName, "mynick") and string.find(curUser.sDescription, "none")

controls email or nick (AFAIK or operator needs at least one of the statements to be 1 to get 1 as result) and desc (AFAIK and operator needs two of the statements 1 to get 1 as result), am I wrong?

If i am not,

if string.find(curUser.sDescription, "none") or string.find(curUser.sName, "mynick") and string.find(curUser.sEmail, "myemail@host.com") then

should be a better way, but it still doesnt satify my needs. Let me explain more..

Script must disconnect user if stated mail string found, or if stated "mail and nick" (and also "mail and desc", "nick and desc") strings found.

Why do I want this? Cos a user can choose mynick for his nick, or none for description even though his system is not infected; but when there is two of them together, this is a strong clue for me. And, nick and description can be set through favorite hubs but mail is only set via settings, and this virus kinda thing changes it.

Anyone wishing to inspect this "virus kinda thing" can PM me to send them any infected files from "C:\WINDOWS\system32\msview" location.

Best Regards

jiten · 29 May, 2005, 15:12:47

QuoteScript must disconnect user if stated mail string found, or if stated "mail and nick" (and also "mail and desc")

As you can see here, it will always disconnect users with at least that mail, so, there's no need to check other strings (nick/desc) and that's what "if string.find(curUser.sEmail, "myemail@host.com")" does.

Quote"nick and desc"

For this situation there's the "string.find(curUser.sName, "mynick") and string.find(curUser.sEmail, "myemail@host.com")" condition.

Hope you got it ;)

Cheers

GeceBekcisi · 29 May, 2005, 15:19:20

dear jiten,

I got it before I wrote this but as you know I am not even a newbie to lua :(

That's why I beg help from you ;)

jiten · 29 May, 2005, 15:25:33

Just to confirm, is everything ok now? I hope

Cheers m8

Rahxie · 29 May, 2005, 16:32:52

This virus is all over dc now, I banned everyone that was in my hub sharing it but it but it's spreading that much that it's nearly half the users... if you use a good antivirus then it's detected before you're infected, I use Norton Antivirus 2005 and it was detected straight away when I downloaded the virus to test it.

6Marilyn6Manson6 · 29 May, 2005, 16:38:51

QuoteOriginally posted by GeceBekcisi
I found something, and I think you all need to know; and help me and others to prevent this virus kinda thingy from spreading.

I thing a virus thing affects DC++. It changes DCPlusPlus.xml as
none
myemail@host.com
mynick
MS Shell Dlg,-11,400,0
....
0.401
1
....

C:\WINDOWS\system32\msview
and maybe more but i couldnt find other changes.. But I see it changes most of DC++ preferences..

This shared directory seems to be a windows system sub directory but it contains files named like "NFS Game Crack" and all of them are viruses! I dunno any AntiVirus covers these yet.

So,

I need a script that blocks

"none" in Description and/or "myemail@host.com" in EMail and/or "mynick" in Nick.

Thanks.
GeceBekcisi

You can use iDC++ and add this virus in BadFiles ;)

Rahxie · 29 May, 2005, 16:40:43

QuoteOriginally posted by 6Marilyn6Manson6
QuoteOriginally posted by GeceBekcisi
I found something, and I think you all need to know; and help me and others to prevent this virus kinda thingy from spreading.

I thing a virus thing affects DC++. It changes DCPlusPlus.xml as
none
myemail@host.com
mynick
MS Shell Dlg,-11,400,0
....
0.401
1
....

C:\WINDOWS\system32\msview
and maybe more but i couldnt find other changes.. But I see it changes most of DC++ preferences..

This shared directory seems to be a windows system sub directory but it contains files named like "NFS Game Crack" and all of them are viruses! I dunno any AntiVirus covers these yet.

So,

I need a script that blocks

"none" in Description and/or "myemail@host.com" in EMail and/or "mynick" in Nick.

Thanks.
GeceBekcisi
You can use iDC++ and add this virus in BadFiles ;)

You can't, it has a lot of different filenames, best thing to do is use an up to date antivirus.

GeceBekcisi · 29 May, 2005, 17:16:18

Working fine. Thanks

jiten · 29 May, 2005, 21:01:21

QuoteOriginally posted by GeceBekcisi
Working fine. Thanks

Nice to know that.
Lets see if we can prevent that "virus" from spreading...

Pothead · 06 June, 2005, 21:05:35

DCDM 0.046 also points these people out for you now.

Quote[20:01:07] <[10Mbit]Hyter> what does it check for when I got a viruswarning like this: *** User skerdikas2005 infected by virus
[20:01:20] his email
[20:01:30] i read about some virus which infects xml files
[20:01:32] <[10Mbit]Hyter> huh?
[20:01:33] and he got it
[20:01:38] 2 secs, i'll try and find it
[20:01:45] <[10Mbit]Hyter> ok, thx
[20:04:01] http://board.univ-angers.fr/thread.php?threadid=4610&boardid=28

jiten · 06 June, 2005, 21:18:17

QuoteOriginally posted by Pothead
DCDM 0.046 also points these people out for you now. :)

Quote[20:01:07] <[10Mbit]Hyter> what does it check for when I got a viruswarning like this: *** User skerdikas2005 infected by virus
[20:01:20] his email
[20:01:30] i read about some virus which infects xml files
[20:01:32] <[10Mbit]Hyter> huh?
[20:01:33] and he got it
[20:01:38] 2 secs, i'll try and find it
[20:01:45] <[10Mbit]Hyter> ok, thx
[20:04:01] http://board.univ-angers.fr/thread.php?threadid=4610&boardid=28

Nice ;)
Btw, some days ago, I was testing some settings of DCDM++ 0.045 and enabled "Use special script for colours in PM", but, got this error: scripts/formatting.lua:458: attempt to index field 'pmcolor' (a nil value).

Cheers

GeceBekcisi · 13 June, 2005, 10:29:06

Very nice feature :) But this has no meaning for me in my hub thanks to jiten :] ;)
Posted on: 06 June 2005, 22:53:01

Detailed info about this virus is here

plop · 13 June, 2005, 17:29:02

QuoteOriginally posted by Rahxie
QuoteOriginally posted by 6Marilyn6Manson6
QuoteOriginally posted by GeceBekcisi
I found something, and I think you all need to know; and help me and others to prevent this virus kinda thingy from spreading.

I thing a virus thing affects DC++. It changes DCPlusPlus.xml as
none
myemail@host.com
mynick
MS Shell Dlg,-11,400,0
....
0.401
1
....

C:\WINDOWS\system32\msview
and maybe more but i couldnt find other changes.. But I see it changes most of DC++ preferences..

This shared directory seems to be a windows system sub directory but it contains files named like "NFS Game Crack" and all of them are viruses! I dunno any AntiVirus covers these yet.

So,

I need a script that blocks

"none" in Description and/or "myemail@host.com" in EMail and/or "mynick" in Nick.

Thanks.
GeceBekcisi
You can use iDC++ and add this virus in BadFiles ;)
You can't, it has a lot of different filenames, best thing to do is use an up to date antivirus.

you can.
nomather the filename the TTH stays the same.
just add all hashes 2 idc/dcdm and see them fly out.

plop

GeceBekcisi · 13 June, 2005, 19:07:37

QuoteOriginally posted by plop you can.
nomather the filename the TTH stays the same.
just add all hashes 2 idc/dcdm and see them fly out.

plop

How does that Malevous files work in iDC (i think DCDM hasn't such a feature unless you implement it) ? I think it should be implemented in DCDM, maybe with autosearch timer for timer based checks of some kind of files.

plop · 15 June, 2005, 01:03:54

QuoteOriginally posted by GeceBekcisi
QuoteOriginally posted by plop you can.
nomather the filename the TTH stays the same.
just add all hashes 2 idc/dcdm and see them fly out.

plop

How does that Malevous files work in iDC (i think DCDM hasn't such a feature unless you implement it) ? I think it should be implemented in DCDM, maybe with autosearch timer for timer based checks of some kind of files.

adl search seems 2 the most logical place for me, i'm not a dcdm/idc user so i'm not sure.

plop

Pothead · 01 July, 2005, 19:21:05

QuoteOriginally posted by jiten
Btw, some days ago, I was testing some settings of DCDM++ 0.045 and enabled "Use special script for colours in PM", but, got this error: scripts/formatting.lua:458: attempt to index field 'pmcolor' (a nil value).

I changed it on two builds . . . cannot remember which versions now. Try replacing the one you have with from the 0.046 binary file, and also the Formatting_Settings.txt from the same file.

LiqUiD~TrolL · 27 September, 2005, 04:49:05

this virus shit is really makeing my annying

so i m gonna ask a question ,

why we can just add in badnicks in Robocop : "mynick" so it will not allow users with this nick ??

bastya_elvtars · 27 September, 2005, 06:51:14

QuoteOriginally posted by LiqUiD~TrolL
this virus shit is really makeing my annying

so i m gonna ask a question ,

why we can just add in badnicks in Robocop : "mynick" so it will not allow users with this nick ??

Ain't nickban enough?

LiqUiD~TrolL · 28 September, 2005, 17:01:02

but if the user is banned he will not understood that he is infected ;-)

so i prefer to add him in bad nicks
so he willl search for it =)

try to change his nick or something

so we are gonna try to control the virus

Rincewind · 06 November, 2005, 14:05:51

Then why not try something like this;

BotName = "VirusChecker"

function MyINFOArrival(user, data)

	if string.find(user.sEmail, "myemail@host.com") or string.find(user.sName, "mynick") and string.find(user.sDescription, "none") then
		user:SendData(BotName, "\r\n\r\n\tThe Win32.Tibick worm has been detected on your machine. Details here: \r\n\r\n\t\t\thttp://securityresponse.symantec.com/avcenter/venc/data/w32.tibick.html \r\n\r\n\tand here: \r\n\r\n\r\t\t\thttp://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40789. \r\n\r\n\tEntry to this hub will not be permitted until it has been removed\r\n")
		user:Disconnect()
	end

end

This way they will know why they can't get in and be pointed to where they can get details of the virus and how to remove it

PtokaX forum

News:

A DC++ Virus and Its Block

GeceBekcisi

jiten

GeceBekcisi

jiten

GeceBekcisi

jiten

Rahxie

6Marilyn6Manson6

Rahxie

GeceBekcisi

jiten

Pothead

jiten

GeceBekcisi

plop

GeceBekcisi

plop

Pothead

LiqUiD~TrolL

bastya_elvtars

LiqUiD~TrolL

Rincewind