What is Winhelper?
Winhelper
Starting around Jan 10, 1998, many users of the mIRC IRC client for Windows
have suffered from channel takeovers as the result of a new trojan horse program
(a file that pretends to be something good when it's really not).
Once infected, the client can be forced to do any or all of the following:
1. invite an evil-doer to any channel where you are an operator,
2. mass deop all the other ops,
3. op the evil-doer
4. deop or quit IRC yourself
These result in a de facto takeover which does not require exploiting the server timestamp
(TS), splits, or any other hacks.
HOW DID I GET INFECTED?
The exploit is purposefully named like something that might be desirable,
such as a screensaver, a crack, or some other .exe file.(Examples include spoof.exe,
land.exe, etc.)
You can get it within IRC using DCC get, or you might download it by WWW or FTP.
No matter what, you need to actively get it from somewhere or somebody
(unless you foolishly have mIRC's auto dcc get turned on,
in which case anybody can send you anything at any time).
When you attempt to run the trojan it is designed to give an error message or appear to have been a failed transfer, while actually altering win.ini and writing 2 other files. You probably assume the transfer corrupted the file and either throw the original away or just give up on it. However by this time the exploit is already installed. The fake mIRC.ini file is put at root level on the startup drive (C: \ usually) and evidently thru this higher level location the fake ini file is loaded rather than the correct ini file which is in the mirc subdirectory.
HOW DOES IT WORK?
The evil-doers hang out on a designated special channel and wait for signs that you are
infected. You will /notice the control channel when you join IRC, nick change,
and likely when you become a chanop.
The evil-doers then come to your channel and force you to turn the channel over to them
(see 4 steps above).
Commands to the infected are done by /msg ! which the script blocks you from seeing
So you hand over the channel, all without ever seeing that they are being msg'd
with these commands.
Diagnosing Winhelper in your System
When using your Irc Client ie mIRC type the following in any window:-
Type //say $findfile(c:\,winhelper.exe,0)
Type /run c:\windows\notepad "c:\windows\win.sys"
in any mirc window Look for the line winhelper.exe
If any of the above return a value of 1 then attempt the manual fix.
MANUAL FIX
1. type /remote off
2. type /events off
3. type /run c:\windows\notepad c:\windows\win.ini
look for a line with winhelper.exe in it
eg. run=C:\windows\winhelper.exe.
Remember the directory of where winhelper.exe is located.
4. type /unload c:\mirc.ini
5. type /unload script.ini
6. type /remove c:\mirc.ini
7. type /remove script.ini
8. type /remove c:\WINHELPER-DIR\winhelp.exe WINHELPER-DIR refering the the dir
that winhelper.exe is located in from the line of win.ini.
9. Close mIRC (IMPORTANT) then Shutdown Windows and then reboot and come back to
IRC.
*** NOTE You May need to Reconfigure or
Reinstall *** *** mIRC it in order to use it again ***
10. Now you probably need to reconfigure mIRC again now,
first of all type /NICK THE_NICK_YOU_WANT
Next go FILE then SETUP then in the IRC SERVERS tab fix up the
information in there i.e. put in your NAME(fake if you want) EMAIL(put in correct one here)
etc.
Next hit the IDENTD tab and Put in the PREFIX@OF.YOUR.EMAIL i.e. if your EMAIL is
FRED@lame.com.au then put in
FRED in the USERID. UNIX in the SYSTEM and PORT 113 enable the "ENABLE IDENTD
SERVER" box hit OK and then in any window in mirc type /SERVER
12. type /titlebar I JUST LEARNT A GOOD LESSON NOT TO RUN ANY FILES I
GET ON HERE!!! Thanks #virushelp *** NOTE: IF SOMEONE SENDS YOU A
FILE IN THE FUTURE READ THE TITLEBAR!!! ***
13. type /remote on
14. type /events on
15. type /sreq ask
16. type //say $findfile(c:\,winhelper.exe,0) if this says 0 then you are fixed.
If it doesnt retry fix
(
geocities.com/timessquare/alley) (
geocities.com/timessquare)