The original version of this page is at <http://www.irchelp.org/irchelp/security/si.html>
1. What is SCRIPT.INI?
1.1 Is SCRIPT.INI a virus?
1.2 Is SCRIPT.INI a trojan horse?
1.3 Are any other IRC clients vulnerable?
2. What if I have SCRIPT.INI?
2.1 How do I know if I have SCRIPT.INI?
2.2 How do I get rid of SCRIPT.INI?
2.3 How can I prevent getting SCRIPT.INI?
2.4 But Auto-DCC-Get is convenient!
2.5 How can I prevent this from happening in the future?
3. Miscellaneous Questions.
3.1 What will SCRIPT.INI do to my computer?
3.2 Will it hurt other files on my hard drive?
3.3 Will it affect other copies of mIRC?
3.4 Why would someone send me this thing?
SCRIPT.INI is an mIRC script that is currently circulating the major IRC networks at epidemic proportions. It is filled with commands to allow others to control your IRC session, watch your conversations, and disrupt your IRC session.It takes advantage of two potential security holes in the mIRC client, auto-DCC-get, and the automatic execution of files named SCRIPT.INI in the mIRC directory.
There have been reports of the file circulating under a different name.
It is important, then, to make sure that you know the purpose of all the
files in your mIRC directory. If you find .ini or .mrc files that you don't
recognize, open them up in a text editor such as Notepad. If you still don't
recognize them, delete them.
The easy way to remove it is to type /remove script.ini to delete it from your
mIRC directory. However, this doesn't always work. If you see the message,
If you see the message,
And read on, we're not done yet...
The other option, of course, is to just use the Show get dialog option,
which necessitates a watchful eye to ensure you don't accept scripts like
SCRIPT.INI. Don't get into the habit of automatically hitting "OK".
1.1 Is SCRIPT.INI a virus?
SCRIPT.INI is not a virus. Viruses reproduce on their own. SCRIPT.INI
has to be willingly accepted by its host before reproducing. Even though
it most commonly is transmitted over auto-DCC-get, since users have to
turn on auto-DCC-get, it is not reproducing "on its own".
1.2 Is SCRIPT.INI a trojan horse?
It could be considered a trojan horse. In the case where a user
sees someone sending them a script, and runs the script without examining
it first to see what it does, SCRIPT.INI acts as a trojan horse. However,
in the case of it being received with auto-DCC-get, it is not a trojan horse.
1.3 Are any other IRC clients vulnerable to SCRIPT.INI?
SCRIPT.INI itself is in mIRC's scripting language, so only mIRC is vulnerable
to this particular script. However, this sort of exploit has been used for years
against the Unix IrcII client (as well as a similar exploit that would allow
an intruder to log in to your account without a password). Now that someone has
had this amount of success in circulating a backdoored script, it
could be expected that versions for other
popular clients will soon appear. The directions below for prevention should be
taken into consideration by all IRC users.
[Return to top]
2. What if I have SCRIPT.INI?
Quite simple: if you have it, delete it, and take steps to make sure that you
don't get it (or a similar problem) again. :) How exactly that is done
is detailed below.
2.1 How do I know if I have SCRIPT.INI?
The easiest way to see if you have SCRIPT.INI is to have someone tell you that
you are trying to send it to them. Failing that, you can look in your mIRC
directory for a file named script.ini. Or, in either File Manager or Win95's
Find File, you can search for script.ini over your whole hard drive.
2.2 How do I get rid of SCRIPT.INI?
When you find (or are told) that you are trying to send SCRIPT.INI to other people,
type /events off. This will stop the script from working -- but it is still
on your computer and loaded into mIRC.
*** Removed c:\mirc\script.ini
then you can rest assured that the
offending file was removed. Close mIRC and restart.
***/remove:no such file c:\mirc\script.ini
then
the file was not removed. Quit mIRC, and use File Manager or Explorer to delete
the file by hand from your mIRC directory.
2.3 How can I prevent getting SCRIPT.INI?
The first precaution to take is to ensure that Auto-DCC-Get is disabled. Under
the DCC menu, choose Options... and then the Send tab. The
safest option is to choose Ignore -- and that way you won't be bothered
with dialog boxes when other people try to send you SCRIPT.INI. Of course, this
means having to go in and change the setting to Show get dialog when you
want to let someone send you a file. This is worth the trouble.
2.4 But Auto-DCC-Get is convenient!
This is true, but SCRIPT.INI is not the only way of exploiting the Auto-DCC-Get
feature. Since listing other ways here would serve as a menu of possible attacks,
you'll have to use your imagination. All and all, anything automatic that allows
other users to write to your hard drive is a bad thing.
2.5 How can I prevent this from happening in the future?
The general answer to this question is, "don't use anything you
don't understand." The longer version of that answer is, "If you
don't understand what every single line in a script is, don't use it."
[Return to top]
3. Miscellaneous Questions
3.1 What will SCRIPT.INI do to my computer?
An incomplete list of SCRIPT.INI "features":
3.2 Will it hurt other files on my hard drive? The hard drive itself?
SCRIPT.INI will not hurt other files on your hard drive. However, it allows
malicious users to read, write and delete from your hard drive. SCRIPT.INI
will not damage your hardware. This does not guarantee that no future similar
exploits will not be capable of damaging hardware.
3.3 Will it affect other copies of mIRC?
If you have multiple copies of mIRC in separate directories, infection of one
will not cause the others to be infected. However, the preventative steps above
should be followed for each copy of mIRC you have.
3.4 Why would someone send me this thing?
It is easy to get angry at the people that try to send you SCRIPT.INI. Please
keep in mind that they probably don't know that they are trying to send it, and
instead of getting angry at them, or kickbanning, or worse yet attacking them
back, please alert them of the problem and send them to #Services.
[Return to top]