W32/Scrambler.a@MM

Scrambler
by Gigabyte

Infected users may notice a message on machine bootup before Windows initializes due to a modification of the startup file WINSTART.BAT. The modification is to display the following message:

Today..
I'm going to scramble your mind..

This virus will modify existing configuration file SCRIPT.INI in an effort to send itself when joining IRC channels via mIRC client.

This virus will attempt to distribute itself via MAPI email (Outlook).

One other side affect of this virus is that it will manipulate and modify MP3 files and in some cases it will damage them such that they do not play via an MP3 player.

Scrambler
by Gigabyte

The infected program such as NOTEPAD.EXE will not continue loading.

When an infected file is first run on a host system, it will search for available files in the Windows folder. If any candidates are found, this virus will prepend itself to them. This virus will also create a randomly named file, 73,728 bytes in size, in the Windows\system folder which is a dropper for this virus. The file name would resemble a name like "hhehi.exe".

Next, this virus will search for the script file named "SCRIPT.INI" which is associated with mIRC installations (Internet Relay Chat). This virus searches on drives c:, d: and e: in the folders "mirc" or "progra~1\mirc". If the SCRIPT.INI configuration file is found, it is replaced with a copy written by this virus which will send the virus dropper from the Windows\system folder to others when joining chat rooms.

Next, the virus writes a text file as "SCRAM.SYS" in the Windows\system folder. This text file contains only the text

Scrambler
by Gigabyte

This virus will finally write a temporary file to the Windows\system named "SCRAMBLER.VBS" and execute this file. It is a Windows Scripting Host (WSH) program written in VBScript which will execute if WSH is installed. By default it is not present on Win95/WinNT however if IE5 or Visual C++/Studio are installed, support is added for VBScript applications.

SCRAMBLER.VBS contains code to send the virus dropper by MAPI email (Outlook) to the first 90 recipients in all available address lists. The email may be in this form:

Subject="Check this out, it's funny!"
Attachment=filename.exe

In the above detail, "filename.exe" represents the randomly created virus dropper file from the Windows\system folder. After the email message is sent, SCRAMBLER.VBS self-destructs by deleting itself.

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

W32/Scrambler.worm.b