Help: exbuz

Once run, the trojan copies itself to C:\Windows\ using a random file name from the list above.

It creates a file called profiles.ini in C:\mirc\ and changes mirc.ini to load it the next time mIRC is run. Profiles.ini replaces these default mIRC commands:

• /unload
• /remove
• /remote
• /events
• /sreq

making it harder to remove profiles.ini in mIRC.

When you connect to IRC, a notice is sent to #lb_world telling the remote user the server the infected person is connected to. Anyone that joins a channel that the infected person is on will automaticly be sent the trojan. When the file transfer of the trojan is successfully completed, the trojan sends another notice to #lb_world, saying the file name of the trojan sent and both the nickname and address of the person who recieved it.

Manual Removal:

• Open Windows Explorer or File Manager.
• Navigate to c:\mirc\ click on profiles.ini and press DEL on your keyboard and confirm that you want to delete the file.
• Click Tools, Find, Files or Folders (Windows 9x), of File, Search, (Win 3.x)
• Enter each of these files names in to the search dialog box one by one and press enter.
  • com.exe
  • yourway.exe
  • megamirc.exe
  • photo.exe
  • viagra.exe
  • pppboost.exe
  • grana.exe
  • emails.exe
  • overnuke.exe
  • putas.exe
  • sexy.exe
  • nukescan.exe
  • soueu.exe
  • videosex.exe
  • system.exe
  • mirc.exe
  • mirc41.exe
  • mirc40.exe
  • ninja38.exe
  • ninja37.exe
  • ninja40.exe
  • dusk.exe
  • darksk~1.exe
  • darkskie.exe
  • zumbigas.exe
  • sphere.exe
  • matchbox.exe
  • hell31s.exe
  • avala8.exe
  • dark.exe
  • nep.exe
  • nep45.exe
• In any matching files are found, delete them.
• Repeat the process until you've searched for, and deleted all the filenames.
• Run mIRC, Click Dcc, Options, Fserve and check Display Fileserve Warning.
• Click Ok

A file fix is available for this virus. Before downloading, please read our disclaimer on all software downloadable from this site. Download it here.