Class
VirTool
Platform
Win32

Parent class: Malware

Malicious tools are malicious programs designed to automatically create viruses, worms, or Trojans, conduct DoS attacks on remote servers, hack other computers, etc. Unlike viruses, worms, and Trojans, malware in this subclass does not present a direct threat to the computer it runs on, and the program’s malicious payload is only delivered on the direct order of the user.

Read more

Class: VirTool

VirTool programs can be used to modify other malicious programs so that they cannot be detected by antivirus software.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is an Internet worm virus that spreads in infected e-mails, sending its copies to IRC channels, and infecting Windows EXE files on a local machine. The worm itself is a Windows executable file about 70K in length written in Microsoft Visual C++.

When an infected file is executed, the virus creates its "dropper" (a file with pure virus code) in the Windows system directory. This file has a random 5-letter name, for example: HIJDE.EXE. This file is used later to send virus copies to Internet and IRC channels.

The virus then scans the Windows directory, looks for Windows executable .EXE files and infects them by writing the virus code to the top of the file. The virus avoids infecting files with names that begin with any of the following letters: E, P, R, T, W. The virus then infects all EXE files in the C:MIRCDOWNLOAD directory, if it exists in the system.

Next, the virus infects the mIRC client to send its copies to IRC channels as well as MS Outlook to spread with e-mail messages.

To infect the mIRC client, the virus tries to create (overwrite) a SCRIPT.INI file in standard mIRC directories on all drives from C: to F:. The infected file names appears as follows:

mircscript.ini
PROGRA~1mircscript.ini

The worm writes a short script to there that sends its "dropper" to each user that enters the infected channel.

The virus creates the SCRAMBLER.VBS VisualBasic in the Windows system directory and writes to there a script program that connects to MS Outlook and sends e-mail messages to the first 90 users from the MS Outlook address book. The messages have an infected attachment (virus "dropper"); the subject is "Check this out, it's funny!"; and the message body is empty. The virus then spawns that script, and spreads to the Internet as a result.

The virus then creates the WINSTART.BAT file in the Windows directory and writes two commands to there that clear the screen and display the following message when that file is executed:

Today..
I'm going to scramble your mind..

The virus also creates the SCRAM.SYS file and saves the text to there:

Scrambler
by Gigabyte

The virus also scans drives for MP3 files and corrupts them.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.