ZAnet Help: judgement day


		Home About News Help Rules Servers People Channels Services Stats Anti-Virus

Help: judgement day

This Javascript worm will look for mIRC and create the two files DEFAULT.INI and DEFAULT2.INI. The MIRC.INI is then modified to load the two INI files.

The JavaScript file then copies itself to "C:\WINDOWS\WIN.JS" and modifies the registry so that WIN.JS loads every time Windows starts.

The JavaScript then displays the message "[JavaScript file name] appears to be corrupted. If this file was downloaded, try redownloading it."

The DEFAULT.INI and DEFAULT2.INI contain several backdoors into mIRC, which give an attacker complete control over the computer. The mIRC scripts try to propagate the worm further, by sending the javascript file under semi-random file name ending with ".jpg.js".

Please follow these instructions to manually remove this worm:

Delete win.vbs
Delete win.js
Delete default.ini, default1.ini and default2.ini from the mIRC folder and from C:\
Delete mirc.ini or manually edit to remove references to default1.ini and default2.ini
Locate and remove the original .vbs and .js

No file fix is available for this virus.