JS.Gigger.A@MM, usually called simply "Gigger," is a new
Javascript worm, discovered on
January 9, 2002 by
Symantec. The worm's threat is debated, with Symantec rating it as "high-threat," but
McAfee's threat-rating is "low." It is not a wide-spread worm at this point, but it contains a very dangerous payload.
Gigger attempts to spread via Microsoft Outlook and mIRC. With Outlook, it will arrive in an email with a subject line of "Outlook Express Update"; The text of the email will be "MSNSofware Co.", and it will contain an attachment named "Mmsn_offline.htm" (Microsoft NEVER delivers updates by email, always via its website; keep this in mind whenever you recieve email promising updates for a Microsoft product). With mIRC, Gigger will overwrite all script.ini files with commands to send "Mmsn_offline.htm" to anyone who joins a channel that an infected user is logged in to. Opening "Mmsn_offline.htm" unleashes the worm's payload.
Upon activation, Gigger does a number of things. It sends itself to all contacts in Microsoft Outlook and Windows Address Book using MAPI. It then adds the following files:
- C:\Bla.hta
- C:\B.htm
- C:\Windows\Samples\Wsh\Charts.js
- C:\Windows\Help\Mmsn_offline.htm
It then overwrites, with itself, all files with the .html, .htm, or .asp
file extensions, and adds "Echo y|format c:" to C:\
autoexec.bat, which causes the C drive to be re
formatted on restart. The following
registry keys are created:
- HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
- HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
Gigger then attempts to add the value "NAV DefAlert=C:\WINDOWS\help\mmsn_offline.htm" to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, which will cause the worm to be run automatically the next time
Windows starts. If you are connected to a
network, Gigger will copy itself to every
network drive as "%drive letter%\Windows\Start Menu\Programs\StartUp\msoe.hta". This will enable the worm to be executed on other computers using the same network. And then, as if all that wasn't enough, if the day is 1, 5, 10, 15, or 20, Gigger attempts to erase all other files, leaving them with a size of 0
bytes.
Indicators of infection include having most file lengths changed to 0 bytes, having the icon of most files changed to the Windows default icon, and being given the "Error in EXE file" error when Windows starts up. That's all that McAfee lists, but other indicators that present themselves are 1) Upon restart, your screen reads "Formatting C:\", 2) Windows crashes soon after you open an email attachment, and 3) The hard-disk activity light on your machine lights up, and you aren't doing anything.
To remove Gigger, run an antivirus program with updated definitions. Edit autoexec.bat and remove the "ECHO y|format c:" line, and remove the noted registry keys. If it's too late, you've activated the worm and restarted your computer and Gigger has trashed your machine, reformat the hard disk and install Linux. That will keep you safe from most viruses in the future, as well.
Sources:
http://www.theregister.co.uk/content/56/23652.html
http://www.symantec.com/avcenter/venc/data/js.gigger.a@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99301&