Don't be taken in by Internet worm Gigger, which poses as a Microsoft
update. The worm
attempts to delete all the hard drive files upon reboot.
This JavaScript worm poses as a Microsoft Outlook
upgrade.
Don't be taken in by Internet worm Gigger, which
poses as a Microsoft
update. Gigger (js.gigger.a@mm) attempts to spread
itself to everyone in
your Outlook Address Book, propagate via mIRC, and
copy itself to
computers connected on a local network. Gigger then
tries to delete all the
files on your hard drive the next time the computer
reboots. Written in
JavaScript, this 17K worm uses the Windows Scripting
Host to execute on
infected systems. Although there have been few
reports of it worldwide,
Gigger has the potential to damage computers and
overwhelm e-mail servers
and currently ranks a 6 on the ZDNet Virus Meter.
How it works
Gigger arrives as e-mail. The subject line reads
either "Outlook Express
Update" or has the e-mail address of the recipient.
The body text says either
"MSNSofware Co." or "Microsoft Outlook 98." The
attached file is always
mmsn_offline.htm.
If a user opens the attached file, Gigger creates the
following files in the root
directory:
Bla.hta
B.htm
Gigger creates these files in the following directories:
C:\Windows\Samples\Wsh\Charts.js
C: \Windows\Samples\Wsh\Charts.vbs
C: \Windows\Help\Mmsn_offline.htm
Gigger also creates the following Registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
and adds NAV DefAlert to the Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in
order to reformat the infected
computer the next time it reboots.
Gigger also adds to the Windows directory a script.ini file to spread by
mIRC, and if the infected
computer is connected to a network, Gigger will create copies of itself as:
\Windows\Start Menu\Programs\StartUp\Msoe.hta.
Code within the virus contains the text "This virus is donation from all
Bulgarians."
Prevention
Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed
the Security Update are not
automatically protected from Gigger. The Outlook Security Update does not
block e-mail with HTM
attachments. Users can, however, disable the Windows Scripting Host. For
information regarding that,
see "How to turn off Windows Scripting Host." In general, you should not
open attached files in e-mail.
Removal
A few antivirus software companies have updated their signature files to
include this worm. This will
stop the infection upon contact and, in some cases, will remove an active
infection from your system.
For more information, see McAfee, Sophos, Symantec, and Trend Micro.