; DREFIR drone killer by David "Saturn" van Moolenbroek ; Version 1.1, released 18-11-2006 -- contact me by mail for support ; Use/modify however you want, but please keep my name in it. Thank you! ; ; This snippet aims to take care of the "Ivana22", "Xandra16" type drones that ; have been plaguing various networks over the past few months. The drone is ; known as "DREFIR" in the anti-virus world (thanks ScoT), although its code ; has been reused in a number of other pieces of malware. The name DREFIR comes ; from the fact that the original code is called "IrcWorm" (latest version 1.5 ; as of writing) and is written by someone called "DR-EF". As it turns out, ; this DR-EF is a terrible coder, and as a result, his IrcWorm is full of bugs. ; ; That's where this snippet comes in. Instead of the usual kickbanning (which ; doesn't help a lot from a network perspective, and may kick real people too), ; this snippet makes use of the bugs in the drone code to actually *crash* it, ; by sending two seemingly benign notices. After a drone has crashed, it will ; either disconnect rightaway or timeout after a while, and it won't come back ; to your IRC network until it's fully restarted (e.g. because of a reboot of ; the infected PC). ; ; The usage of this snippet is pretty simple: for example, save it in your mIRC ; directory, type the mIRC command "/load -rs killdrone.mrc", and the snippet ; will automatically try to kill any drone that it sees joining a channel. As ; said, the snippet sends two notices; most likely only one of them will kill ; the drone (usually the first one), but there is no way to tell in advance: ; it depends on the optimization level that the drone code was compiled with. ; Non-drones that happen to have a drone nickname, will just see the text. ; ; The actual contents of the %msg1 and %msg2 messages are not relevant, the ; only requirement is that they be as long as possible in order to maximize ; the chance that they will lead to a crash. Do not change the contents of the ; actual notice commands though, as that may render the whole thing useless. ; ; Some variants of the drone use non-standard nicknames; if you run into one of ; those, you can use the command "/killdrone " to kill it manually. alias -l isdrone { if ($regex($1,/^([A-Z][a-z]++)[12]\d$/)) && ($istok(Anita April Ara $& Aretina Amorita Alysia Aldora Barbra Becky Bella Briana Bridget Blenda $& Bettina Caitlin Chelsea Clarissa Carmen Carla Cara Camille Damita Daria $& Danielle Diana Doris Dora Donna Ebony Eden Eliza Erika Eve Evelyn Emily $& Faith Gale Gilda Gloria Haley Holly Helga Ivory Ivana Iris Isabel Idona $& Ida Julie Juliet Joanna Jewel Janet Katrina Kacey Kali Kyle Kassia Kara $& Lara Laura Lynn Lolita Lisa Linda Myra Mimi Melody Mary Maia Nadia Nova $& Nina Nora Natalie Naomi Nicole Olga Olivia Pamela Peggy Queen Rachel $& Rae Rita Ruby Rosa Silver Sharon Uma Ula Valda Vanessa Valora Violet $& Vivian Vicky Wendy Willa Xandra Xylia Xenia Zilya Zoe Zenia, $& $regml(1),32)) return $true return $false } alias killdrone { var %msg1 = Hello $1 $+ .. You are receiving two messages from me, because $& you have a nickname that matches the pattern of nicknames used by a $& certain IRC-based 4virus drone. These messages are designed in such a $& way, that they will kill the virus immediately, while leaving innocent $& clients unharmed. If you can read this, then you must be a real person, $& and not a virus. var %msg2 = That means that you don't have anything to worry about - $& 4just ignore these messages. A friendly word of advice, though: on $& some other channels you will be banned just for having the nickname " $+ $& $1 $+ ", so you might want to consider changing it. But of course, $& that's entirely up to you. Alright, we're done here, you're clear - $& 4thank you, and have a nice day! .notice $1 [: DRONE STOPPING :] %msg1 .notice $1 [: DRONE KICK ### $replace(:] %msg2,$chr(32),$chr(160)) } on !*:JOIN:#:{ if ($isdrone($nick)) killdrone $nick }