Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » MIRC/DMSetup.Worm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 11 May 1998 03:00:00
Description created 27 Nov 1999 03:00:00
Description updated 16 Nov 2001 12:05:00
Malware type WORM
Alias
Spreading mechanism FILE_INFECTION
IRC
Summary None

MIRC/DMSetup.Worm

Spreading

The "dmsetup.exe" file is a worm which passes itself from one mIRC user’s computer to the next by infecting the mirc.ini file and other files in their computers. It does this by changing mIRC remote scripts and thereby sending itself to anyone joining the channel the infected mIRC user is in. This is done with the IRC file transfer protocol DCC.

There are a lot of different filenames being used to circulate the "dmsetup.exe" worm. You should be suspicious of any file you are sent with a .exe extension. The chances are it is "dmsetup.exe" which has been renamed; in addition some variants of this worm change its own name with every infection. In this document the worm will only be referred to as DMSetup.

Payload Details

n/a

Analysis

n/a

Removal

To fix infection from this worm, there are two main scenarios, depending on whether you have mIRC in the C drive or not. If you have mIRC installed on your c: drive Unload mircrem.ini by typing /UNLOAD –RS MIRCREM.INI in any mIRC- window Open C:\AUTOEXEC.BAT with notepad and remove the DMSetup line - save and exit Delete the following files: C:\DMSETUP.EXE C:\CONFIGG.SYS C:\MIRC\DMSETUP.EXE C:\MIRC\MIRCREM.INI C:\MIRC\BACKUP0412.INI C:\WINDOWS\DMSETUP.EXE C:\PROGRAM FILES\DMSETUP.EXE C:\MIRC.INI If you do not have mIRC installed on your c: drive Open C:\AUTOEXEC.BAT with notepad and remove the DMSetup line - save and exit Delete the following files C:\DMSETUP.EXE C:\CONFIGG.SYS C:\MIRC C:\WINDOWS\DMSETUP.EXE C:\PROGRAM FILES\DMSETUP.EXE How to avoid getting infected? Do not use AutoGet. Type /sreg ASK in any mIRC-window. Only accept dcc files only from people you know. Never accept dcc files with the extension ".exe" or ".ini", even if you know the sender well, unless you have discussed the contents of the file first, and are certain it is not dangerous. Go to your "DCC" menu, select "options", click on the "send" tab and make sure the "Show get dialogue" option is marked. Click the "okay" button to save.


Last Updated: 12 Nov 2015 11:06:13