Parent class: Malware
Malicious tools are malicious programs designed to automatically create viruses, worms, or Trojans, conduct DoS attacks on remote servers, hack other computers, etc. Unlike viruses, worms, and Trojans, malware in this subclass does not present a direct threat to the computer it runs on, and the program’s malicious payload is only delivered on the direct order of the user.Read more
Class: VirTool
VirTool programs can be used to modify other malicious programs so that they cannot be detected by antivirus software.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This is an Internet worm virus that spreads in infected e-mails, sending its copies to IRC channels, and infecting Windows EXE files on a local machine. The worm itself is a Windows executable file about 70K in length written in Microsoft Visual C++.
When an infected file is executed, the virus creates its "dropper" (a file with pure virus code) in the Windows system directory. This file has a random 5-letter name, for example: HIJDE.EXE. This file is used later to send virus copies to Internet and IRC channels.
The virus then scans the Windows directory, looks for Windows executable .EXE files and infects them by writing the virus code to the top of the file. The virus avoids infecting files with names that begin with any of the following letters: E, P, R, T, W. The virus then infects all EXE files in the C:MIRCDOWNLOAD directory, if it exists in the system.
Next, the virus infects the mIRC client to send its copies to IRC channels as well as MS Outlook to spread with e-mail messages.
To infect the mIRC client, the virus tries to create (overwrite) a SCRIPT.INI file in standard mIRC directories on all drives from C: to F:. The infected file names appears as follows:
mircscript.ini
PROGRA~1mircscript.ini
The worm writes a short script to there that sends its "dropper" to each user that enters the infected channel.
The virus creates the SCRAMBLER.VBS VisualBasic in the Windows system directory and writes to there a script program that connects to MS Outlook and sends e-mail messages to the first 90 users from the MS Outlook address book. The messages have an infected attachment (virus "dropper"); the subject is "Check this out, it's funny!"; and the message body is empty. The virus then spawns that script, and spreads to the Internet as a result.
The virus then creates the WINSTART.BAT file in the Windows directory and writes two commands to there that clear the screen and display the following message when that file is executed:
Today..
I'm going to scramble your mind..
The virus also creates the SCRAM.SYS file and saves the text to there:
Scrambler
by Gigabyte
The virus also scans drives for MP3 files and corrupts them.
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com