McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• IRC-Worm.Docirc.b (AVP)

• IRC.Marie (CA)

• mIRC/DOCIRC-B (Sophos)

• mIRC/Marie.B (Panda)

Characteristics

This is a family of worms that use the mIRC Internet Relay Chat software to send executable files to other mIRC clients.

When run, the worm drops the following files into the system:

ANNE.JPG.exe
CUTEJANY.doc
DRAGON.exe
DELARMGO.exe
EL15_BMP.exe
EL16.JPG.exe
JANY.JPG.exe
MARIE.exe
MARIE42.doc
WINUCKI.ocx

The worms were originally distributed under the names above. The .DOC files carry the EXE component embedded in the document, and if executed it will activate.

C:\SCRIPT.INI is created and the following attributes are cleared: -r -s -h

This Script.ini file gets copied to the C:\WINDOWS\HELP folder, and the attributes, +r +s +h, are set on C:\SCRIPT.INI, and C:\MIRC\SCRIPT.INI.

The worm will then create a file named JANY.COM in the following directories:

C:\
C:\Progra~1\ folder
C:\Windows

One of the following 3 files are created:
C:\WINDOWS\EL16.JPG.exe
C:\WINDOWS\ANNE.JPG.exe
C:\WINDOWS\JANY.JPG.exe

A registry run key is created to run the AUTOEXEC.BAT file when Windows loads:

HKLM\Software\Microsoft\Windows\CurrentVersion\run

Symptoms

Prsence of any these files:

ANNE.JPG.exe
CUTEJANY.doc
DRAGON.exe
DELARMGO.exe
EL15_BMP.exe
EL16.JPG.exe
JANY.COM
JANY.JPG.exe
MARIE.exe
MARIE42.doc
WINUCKI.ocx

Method of Infection

The worm uses the mIRC Internet Relay Chat software to distribute itself to IRC users.

Removal

Use current engine and DAT files for detection and removal. AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as "send" or "get" and commands such as "/run" and "/dll". AVERT recommends setting these options if applicable. If your application supports changing options on "DCC" settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• IRC-Worm.Docirc.b (AVP)

• IRC.Marie (CA)

• mIRC/DOCIRC-B (Sophos)

• mIRC/Marie.B (Panda)

Characteristics

Characteristics -

This is a family of worms that use the mIRC Internet Relay Chat software to send executable files to other mIRC clients.

When run, the worm drops the following files into the system:

ANNE.JPG.exe
CUTEJANY.doc
DRAGON.exe
DELARMGO.exe
EL15_BMP.exe
EL16.JPG.exe
JANY.JPG.exe
MARIE.exe
MARIE42.doc
WINUCKI.ocx

The worms were originally distributed under the names above. The .DOC files carry the EXE component embedded in the document, and if executed it will activate.

C:\SCRIPT.INI is created and the following attributes are cleared: -r -s -h

This Script.ini file gets copied to the C:\WINDOWS\HELP folder, and the attributes, +r +s +h, are set on C:\SCRIPT.INI, and C:\MIRC\SCRIPT.INI.

The worm will then create a file named JANY.COM in the following directories:

C:\
C:\Progra~1\ folder
C:\Windows

One of the following 3 files are created:
C:\WINDOWS\EL16.JPG.exe
C:\WINDOWS\ANNE.JPG.exe
C:\WINDOWS\JANY.JPG.exe

A registry run key is created to run the AUTOEXEC.BAT file when Windows loads:

HKLM\Software\Microsoft\Windows\CurrentVersion\run

Symptoms

Symptoms -

Prsence of any these files:

ANNE.JPG.exe
CUTEJANY.doc
DRAGON.exe
DELARMGO.exe
EL15_BMP.exe
EL16.JPG.exe
JANY.COM
JANY.JPG.exe
MARIE.exe
MARIE42.doc
WINUCKI.ocx

Method of Infection

Method of Infection -

The worm uses the mIRC Internet Relay Chat software to distribute itself to IRC users.

Removal -

Removal -

Use current engine and DAT files for detection and removal. AVERT recommends the following course of action for prevention:

IRC File Distribution Prevention Method
Always use caution if receiving files from others on IRC channels. Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus-

* Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full purpose.

* Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.

* Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.

* Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.

* Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.

* Some IRC software applications such as mIRC support security settings or options to disable certain functions such as "send" or "get" and commands such as "/run" and "/dll". AVERT recommends setting these options if applicable. If your application supports changing options on "DCC" settings, choose to prompt or ignore requests for file send or receive transactions.

Variants

Variants -

N/A