Home | Spyware List | Search Spyware | Bookmark | Link to us
spyware removal instructions
> Spyware Encyclopedia Page 96 > Noob

Noob removal

Spyware Noob Information
Name: Noob
Category: IRC Killer
Date: 2001-09-29
Author: DoC
Dangerous: Yes
Noob belongs to IRC Killer spyware category.
An HTML-based spy Trojan. It's presense means that your computer is infected with malicious software and is insecure.
Noob description by DoC:
Uses an IRC connection to control it, therefore bypassing firewalls. Uses ActiveX. Victim must be running Internet Explorer 4.0 SP1 or 5.0. What is it? A spy Trojan horse. What´s so special about it? The ability to bypass any type of firewall (i.e AtGuard, Conceal & Proxy servers and Wingates). I think that firewalls are the greatest barriers to Trojans. With Noob this problem is solved! :-) The file is not an executable. It is an HTML based Trojan. If you can figure out my spaghetti code, then you can customize the Trojan because I wrote everything in scripting language so that it doesn´t have to be an *.Exe (Nobody seems to accept Exe any file these days). I am not selfish but please don´t forget to give me credits for any modifications you make on Noob. You can spy on your target´s conversation in real time & send messages to people from his nickname without him/her seeing what you sent. Limited ability to write/read from any file using commands such as ´/write´ in mIRC. It looks like anything except a Trojan. Noob is ideal to send to your girlfriend, if you think she has not being totally loyal :P, because it is in the form of a byoootiful lil love animated card. Aint that sweet? What are the main drawbacks? (I don´t claim that Noob is perfect) The victim must be using MS Internet Explorer 4.0 SP1 or 5.0 The person must click on ´yes´ when prompted if he/she wishes to allow ActiveX objects to be accessed by scripts. (but since browsers often display silly dialogs some people just click on ´yes´ without even reading it. And besides I make it seem that the card uses ActiveX so that they think it´s necessary to enable it) By default ActiveX controls are disabled when surfing over Internet Zones therefore this Trojan can not be used on a Web-site. Don´t even think of sending it via HTML-based E-mails like hotmail as an attachment, unless you zip it 1st, because when the target opens the mail it´ll still be over an internet zone therefore it wouldn´t work. How should I send it? Since Noob was designed for IRC users you could send it via DCC. Zip the file 1st & then send it through E-mail. This forces them to download it before viewing. The above solutions are only proposed scenarios. You can send the file anyway you wish but just remember that it must be viewed off the web. Full Details The main reason why I made this version of Noob is because it´s not affected by the use of Firewalls. Even if the victim uses a firewall to filter incoming & outgoing traffic via his ports, Noob 3.0 will not be affected as it forwards & receives via an IRC connection. Additionally to this there´s no need to use telnet or netcat in this version. All commands made to be issued directly from your own mIRC window (see point 6). With this mail comes an attachment file called "AnimatedCard.htm". This is the Trojan itself. The particularity of this Trojan is that there´s no need for the victim to run an executable (*.exe file) because many people have grown suspicious about them. Instead of that the victim just has to open an HTML file & click "YES" at a not-at-all scary warning dialog. Here´s a scenario: 1. Send it as a mail attachment after having zipped it. 2. Once the victim opens that page he/she´ll be prompted to Accept Initialization of an ActiveX Control (this is the sticky part). If the victims clicks on "YES" then he/she´ll be infected. * Note once again that this only works on Internet Explorer 4.0 SP1 or 5.0 actually* 3. Assuming that the Victim clicks on "YES", the Trojan will scan his Hard Disk & search for any mIRC scripts or plain mIRC presence. Once it finds a version of mIRC it contaminates it with a "script.ini" like Trojan called Noobini.ini. 4. When your victim connects to IRC all you´ve to do is type: /ctcp {your victim´s nickname} gravity3 If the victim was successfully infected then you´ll receive a message from him saying "Noob Active". 5. Now all you´ve to do is sit & wait to see whatever the victim is typing in his mIRC including his Nickserv or Chanserv PASSWORDS (on Dalnet) !!! Everything will be sent to you in the query window. 6. You can also issue commands to the mIRC of the victim by simply typing commands in your mIRC window as shown below... for example you could type: (a). To see the victim´s nick changed to "I-Am-A-Bitch" type: /ctcp {your victim´s nickname} /nick I-Am-A-Bitch (b). To drop the victim´s nickname if he´s identified type: /ctcp {your victim´s nickname} /nickserv drop {The victim´s current nick} (c). To make the user banned from a channel try this ;) /ctcp {your victim´s nickname} /msg {#channel name} I think you are all too lame. F*ck you all! (d). To get an Fserve Running try using the FSERV command... more on that in the mIRC help file. This command can turn out to be useful if you wanna download or upload file to the victim such as a Back Orifice server in the "Startup" folder. The possibilities to this are only limited to mIRC commands that exist. It is as if you were in the place of the user. (e). If you wanna say smth to a person from the victim´s behalf try this out. -Let us imagine that your target is called John & he is talking to someone called Ann & that you want Ann to think that John is really a piece of shit. Do the following...- /ctcp John //raw PRIVMSG Ann :Whenever I see you I feel so horny. I just can´t figure out why! How much would you steal for a night bitch? -Now you can imagine what´s going on in Ann´s mind but poor John will probably never understand why Ann thinks he is such a jerk since John never saw what message you sent Ann from his nickname. :P 7. To stop spying on the victim just type: /ctcp {your victim´s nickname} gone ------------------------------------------------------------------------------------------------- I explained this in detail in this document but in fact its much easier than it sounds: 1. Send the victim the file 2. Let him/her open it. 3. Connect to their PC & have fun!! Personal Notes: If you find smth that can help enhance Noob please let me know. I would really welcome stuff like overflows that could disable the message or any other miracle of that kind. Noob really screwed my life up. I lost my best friend coz of that... Be careful with it. Spying is not worth it if the user trusts you. Designed by |SHAD0W| Copyright ® 1999 [SHADOW]. All rights reserved.
This IRC Killer is also known as:
destructive program - named by F-Prot.
Generic trojan - named by McAfee.
Trj/IRC.Noob.31 - named by Panda.
Trojan.IRC.Noob.31 - named by Kaspersky.
Trojan.VBS.Noob - named by a.
Win32/Noob.31!Trojan - named by Computer Associates.

>> Delete Noob automatically - Download Spyware Doctor

Noob Removal Instructions
Kill the following processes
noob 4.0.exe, noobfilter.exe
Remove the following files
animcard.htm, noob 4.0.exe, noob 4.0.ex_, noob documentation.do_, noobfilter.exe, noobfilter.ex_, readme first!!.htm, setup.lst, setup1.ex_.

Bookmark Noob page

 Previous Spyware: Remove Noname Trojan 1.0 Next Spyware: Remove Noob 3.0
© 2005-2008 www.spywaredb.com All rights reserved. webmaster@spywaredb.com