Classification

Category :

Malware

Type :

Worm

Aliases :

Scrambler, IWorm_Scrambler, I-Worm.Scrambler

Summary

Scrambler is an Internet worm-virus that spreads itself in email attachments, sends its copies to IRC channels, and infects Windows EXE files on the local machine. The worm itself is a Windows PE executable, about 70Kb long and it is written in Microsoft Visual C++.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When the worm's file is run for the first time, it creates its dropper (the file with pure worm's code) in the Windows system directory. This file has a random 5-letter name, for example: HIJDE.EXE. The file will be used to send worm copies to Internet and IRC channels later.

Then the worm scans the Windows directory, looks for Windows EXE files and infects them by writing its code to the top of the file. The worm avoids infecting the files with names that begin with any of the following letters: E, P, R, T, W. Then the worm infects all EXE files in the C:\MIRC\DOWNLOAD directory if such directory exists.

Afterward the worm modifies the mIRC client settings to send its copies to IRC channels. It modifies MS Outlook, too, to spread with email messages.

The worm tries to overwrite the SCRIPT.INI file in standard mIRC directories on all drives from C: to F: to modify the mIRC client settings. The worm writes a short script in that file to send its dropper to each user that enters an infected channel.

The worm creates the SCRAMBLER.VBS file in the Windows System directory and writes there a Visual Basic script program which will connect to MS Outlook and send email messages to the first 90 users taken from the MS Outlook address book. Messages that are sent have the worm's dropper as an attachment, the message subject is "Check this out, it's funny!" and the message body is empty. Then the worm spawns that script and as a result, spreads to the Internet.

The worm creates the WINSTART.BAT file in the Windows directory and writes two commands to that file which will clear the screen and display this message when the file is executed:

Today..
I'm going to scramble your mind..

The worm also creates the SCRAM.SYS file and saves the following text there:

Scrambler
by Gigabyte

The worm has a dangerous payload - it scans hard drives for MP3 files and corrupts them.

Variant:Scrambler.A (Scooter, I-Worm_Scooter, I-Worm.Scooter, MP3 virus)

Size:166131

This variant of Scrambler worm spreads itself as an attachment to an email message, using Outlook application. The message has the following characteristics:

Subject:

Faster.. harder.. your PC will run like a scooter!

 Attachment: (random).exe

The attachment has a random, 5 letter file name and the ".exe" extension. This name is randomly generated by the worm upon its first installation to an infected system. The worm itself is a PE executable packed with PECompact file compressor.

When run, the worm copies itself with a random name to \Windows\System\ folder, unpacks from itself SCOOTER.MP3 file that contains a part of a song made by the band "Scooter", creates SCOOTER.SYS file with the following text inside: "Faster.. harder.. scooter!".

It attempts to play the unpacked MP3 file if a compatible MP3 player is found in a system.

The worm replaces SCRIPT.INI file in mIRC installation directory. The new script file makes IRC client to spread the worm to all users of IRC channels where an infected user joins.