Attached document explains all. Rant: People using a product called 'antigen' should be shot, stabbed, and shot again. Today, more than a month after posting DSR-toppler.pl and sircd.sh, I _still_ get 5-8 emails a day saying that 'a virus have been found and quarantined'. Oh please, get a grip. And please oh please stop sending email from invalid addresses, I can't even mail you back and tell you what I think of your AV solution. -- Knud Erik Højgaard
I. BACKGROUND mIRC is "a friendly IRC client that is well equipped with options and tools" More information about the application is available at http://www.mirc.com II. DESCRIPTION The DCC GET dialog has a limited area visible for the filename. By DCC sending a file with a specially crafted filename it's possible to 'spoof' a legitimate file. III. ANALYSIS Sending a file which name consists of for example 'me.mpg' + 'about 180 "alt-0160(fakespace)"' + '.exe' leads the recieving user into believing that the file is merely a harmless mpeg file, while it is in fact an executable. mIRC has a handy 'open' button upon completion of the dcc, so unless the user actually opens the download folder and verifies the extension of the file, a compromise is possible. IIIa. MITIGATING FACTORS If the remote user has DCC ignore enabled this will of course not work. IV. DETECTION mirc 6.03 and below has been found vulnerable. V. WORKAROUND unknown VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE unknown IX. CREDIT Knud Erik Højgaard/kokanin[a]dtors.net
