This is an Internet worm spreading in infected e-mails and sending its copies to IRC channels. The worm itself is a Windows executable file about 200K in length written in Microsoft Visual C++. It was discovered in the wild in September 2000 in compressed form about 170K in length (compressed by PECompact utility).
The worm is related to the “Scrambler” Internet worm.
When an infected file is executed, the worm creates its copy in the Windows system directory. That file has a random 5-letter name, for example: BJEFG.EXE, FBHGE.EXE. That file will be used later to send worm copies to Internet and IRC channels.
To spread to IRC channels, the worm infects mIRC client by creating (overwriting) a SCRIPT.INI file in standard mIRC directories on all drives from C: through F: the affected file names appear as the following:
The worm writes a short script there that sends its copy to each user that enters the infected channel.
To send infected e-mail messages, the worm creates the SCOOTER.VBS VisualBasic script program in the Windows system directory and writes there a script program that connects MS Outlook and sends e-mail messages to first 90 users from the MS Outlook address book. The messages have an infected attachment (worm copy) and the subject is:
The message body is empty. The worm then spawns this script, and spreads to the Internet as a result.
To prevent duplicate sending, the worm creates the SCOOTER.SYS file in the Windows system directory and writes the text there:
If such a file exists (with any data inside), the worm skips sending infected e-mails.
To disguise its activity, the worm extracts from its body the SCOOTER.MP3 music file and opens it.