Scrambler
Scrambler
Type File virus
Creator Gigabyte
Date Discovered 2000.05.30
Place of Origin Mechelen, Belgium
Source Language C++
Platform MS Windows*
File Type(s) .exe
Infection Length 73,728 bytes

Scrambler is a worm-like virus. It infects Windows Portable Executable files as well as sends itself over IRC and email. It comes from Belgium and was coded by Gigabyte in C++.

Behavior

When an infected file is executed, Scrambler creates a copy of its code in the Windows System folder. The file name will be five random characters along with a .exe extension. It will be used later for sending the virus through IRC channels and email.

Scrambler then looks in the Windows folder for files to infect. It avoids files beginning with the letters 'E', 'P', 'R', 'T' and 'W'. It will also infect all .exe files in the mIRC Download folder regardless of what characters appear in its file name, assuming this folder exists. It prepends itself to these files.

If it finds one, it overwrites the SCRIPT.INI file in the standard mIRC directories on drives C:, D:, E: and F:. The virus writes a short script that sends itself to each user on the channel the infected user is on. It also creates a Visual Basic script named SCRAMBLER.VBS which will connect to MS Outlook and send a copy of itself to the user's first 90 contacts. The message will be empty and the subject will be "Check this out, it's funny!".

It then creates a file named WINSTART.BAT in the Windows folder, which blanks the screen and displays the message "Today.. I'm going to scramble your mind..". It also creates the file SCRAM.SYS that contains the text "Scrambler by Gigabyte". It also scans the hard drives for .MP3 files and corrupts them.

Variants

Scrambler.B

This variant is the only one for which the source code is available. It is mostly similar with a few negligible exceptions. It avoids files with file names beginning with the letters 'P', 'R', 'E', 'T', 'W' or 'w', files with 'D' as the fourth letter or 'R' as the sixth letter.

Scooter

This variant is similar to the previous two. It is named for a band the creator was fond of. Its email message contains the subject "Subject: Faster.. harder.. your PC will run like a scooter!" and an attachment of five random characters followed by .exe. A bulk of the file size is an MP3 file containing a sample of music by the band scooter, which it unpacks to the Windows System folder. It also creates a file there named SCOOTER.SYS with the text "Faster.. harder.. scooter!".

Sources

F-Secure Antivirus, Threat Description: Scrambler. 2000.09

Gigabyte. Scrambler.B source code.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License