VirTool.Win32.UPXScrambler

Class VirTool
Platform Win32
Description

Technical Details

This is an Internet worm virus that spreads in infected e-mails, sending its copies
to IRC channels, and infecting Windows EXE files on a local machine. The worm
itself is a Windows executable file about 70K in length written in Microsoft Visual
C++.

When an infected file is executed, the virus creates its “dropper” (a file with
pure virus code) in the Windows system directory. This file has a random 5-letter
name, for example: HIJDE.EXE. This file is used later to send virus copies
to Internet and IRC channels.

The virus then scans the Windows directory, looks for Windows executable .EXE files
and infects them by writing the virus code to the top of the file. The virus avoids
infecting files with names that begin with any of the following letters: E, P, R,
T, W. The virus then infects all EXE files in the C:MIRCDOWNLOAD directory,
if it exists in the system.

Next, the virus infects the mIRC client to send its copies to IRC channels as well
as MS Outlook to spread with e-mail messages.

To infect the mIRC client, the virus tries to create (overwrite) a SCRIPT.INI file
in standard mIRC directories on all drives from C: to F:. The infected file
names appears as follows:

mircscript.ini
PROGRA~1mircscript.ini

The worm writes a short script to there that sends its “dropper” to each user
that enters the infected channel.

The virus creates the SCRAMBLER.VBS VisualBasic in the Windows system directory
and writes to there a script program that connects to MS Outlook and sends e-mail
messages to the first 90 users from the MS Outlook address book. The messages have an infected
attachment (virus “dropper”); the subject is “Check this out, it’s funny!”;
and the message body is empty. The virus then spawns that script, and spreads
to the Internet as a result.

The virus then creates the WINSTART.BAT file in the Windows directory and writes
two commands to there that clear the screen and display the following message when that
file is executed:

Today..
I’m going to scramble your mind..

The virus also creates the SCRAM.SYS file and saves the text to there:

Scrambler
by Gigabyte

The virus also scans drives for MP3 files and corrupts them.