When the worm's file is run for the first time, it creates its
dropper (the file with pure worm's code) in the Windows system
directory. This file has a random 5-letter name, for example:
HIJDE.EXE. The file will be used to send worm copies to Internet
and IRC channels later.
Then the worm scans the Windows directory, looks for Windows EXE
files and infects them by writing its code to the top of the
file. The worm avoids infecting the files with names that begin
with any of the following letters: E, P, R, T, W. Then the worm
infects all EXE files in the C:\MIRC\DOWNLOAD directory if such
Afterward the worm modifies the mIRC client settings to send its
copies to IRC channels. It modifies MS Outlook, too, to spread
with e-mail messages.
The worm tries to overwrite the SCRIPT.INI file in standard mIRC
directories on all drives from C: to F: to modify the mIRC client
settings. The worm writes a short script in that file to send its
dropper to each user that enters an infected channel.
The worm creates the SCRAMBLER.VBS file in the Windows System
directory and writes there a Visual Basic script program which will
connect to MS Outlook and send e-mail messages to the first 90
users taken from the MS Outlook address book. Messages that are sent
have the worm's dropper as an attachment, the message subject is
"Check this out, it's funny!" and the message body is empty. Then
the worm spawns that script and as a result, spreads to the Internet.
The worm creates the WINSTART.BAT file in the Windows directory
and writes two commands to that file which will clear the screen
and display this message when the file is executed:
I'm going to scramble your mind..
The worm also creates the SCRAM.SYS file and saves the following
The worm has a dangerous payload - it scans hard drives for MP3
files and corrupts them.