Mirkforce is **NOT** a virus, ie, it doesnt replicate itself, it does not "propagate". Rather than that, mirkforce is a "clone flooder" type IRC client that will load heaps of virtual interfaces on youre box and make clones join IRC thru them (it will typically try to load as much interfaces as possible in your local class C subnet.) I repeat: Mirkforce is NOT a virus Dont spread false and inaccurate info, please. Mirkforce may however be part of or contained in <insert your favorite rootkit name here> Cheers Chris .-. /v\ L I N U X // \\ >I know KungFu!!< /( )\ ^^-^^ Delia Wakelin <d.wakelin@un An: suse-security@suse.com n.ac.uk> Kopie: Thema: [suse-security] mirkforce 28.01.2002 09:18 recently received the message below. Is mirkforce a problem for suse ? --> We are currently dealing with an outbreak of hacked Linux boxes running "Mirkforce". Mirkforce is an IRC virus, which is spreading rapidly. We are unsure as to how it propagates, but essentially once a hacked linux box launches the software, it will fill all the ips not used of the network where the computer is located (the /24) by creating virtual aliases on the main interface. After it will just simulate x connections from each ip, and will target one or more irc servers and probably be used in some action against some users/channels. Computer examined were root kitted and some DDOS tools were installed and activated on it. **PLEASE** search the linux servers on your network, and if you have some machines logging arp changes or else, try to find the server which suddenly stole ips from others servers. This software is probably running only on Linux (all the versions found were for Linux). Search the linux running recently reported holed daemons (named, rpc, ftpd, etc..) and try to find suspicious accesses and to reinstall/remove useless daemons. Usually the server hacked will be one of the not listed ones, it seems that the mirkforce is not using the primary IP of the server hacked. Output from the help of the software ./mIRKfORCE -h mIRKfORCE 2.o [+0wnz] by ipLord, this copy is registred to haschmannen usage: mIRKfORCE [options] flag <arg> : explanation [default] -------------------------------------------- -i <interface> : Interface [eth0] -t <secs> : h0st check timeout [7] -h : This help (also try /help once inside) -r : Remove all IPaliases created by mIRKfORCE -v : Verbose mode, print common irceventz fer the klonez -d : Debug mode (lotsa raw ircprintouts) As always, these problems can be avoided by running properly patched and secured machines. Regards, -- Dr. Delia Wakelin Tel: 44 (0) 191 227 4958 Division of Psychology email mailto:d.wakelin@unn.ac.uk University of Northumbria www http://www.unn.ac.uk/~evdw3 Newcastle upon Tyne NE1 8ST -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com