Finding hidden copies of mIRC

Copies of mIRC, the Internet Relay Chat client, have been found masquerading as Explorer in the System32 folder. Explorer.exe should be found in the Windows folder, not Windows\System32. Copies of mIRC were found because the executable (mirc.exe) contains product information. Microsoft System Management Server (SMS) captures that product information. Unexpected copies of mIRC would not be found by searching for the usual file name (mirc.exe).

Copies of mIRC were uncovered by a search for peer-to-peer (P2P) file sharing products. Use, for example, the following WQL code:

select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, SMS_G_System_SoftwareProduct.ProductName, SMS_G_System_SoftwareProduct.CompanyName from  SMS_R_System inner join SMS_G_System_SoftwareProduct on SMS_G_System_SoftwareProduct.ResourceID = SMS_R_System.ResourceId where LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%aresgalaxy%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%bearshare%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%bittornado%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%bittorrent%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%bitspirit%” or (LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%emule%” and LOWER(SMS_G_System_SoftwareProduct.ProductName) not like “%emulex%”) or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%filetopia%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%grokster%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%imesh%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%kazaa%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%limewire%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%mirc%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%mldonkey%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%morpheus%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%shareaza%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%sharep2p%” or LOWER(SMS_G_System_SoftwareProduct.ProductName) like “%utorrent%”

This entry was posted on Sunday, April 12th, 2009 at 2:26 PM and is filed under Virus. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.