Virus gigger worm

Question

do you have any info on a Gigger Worm which poses as a Microsoft update?

Answer

This question was answered on January 15, 2002. Much of the information contained herein may have changed since posting.

This is a new worm and uncommon The following is an article I found during my research The article is located at http://www.zdnet.com/zdnn/stories/news/0,4586,2838401,00.html?chkpt=zdnnp1tp02

Gigger 'update' worm attacks hard drive

By Robert Vamosi

ZDNet Reviews

January 11, 2002 4:07 PM PT

This JavaScript worm poses as a Microsoft Outlook upgrade

Don't be taken in by Internet worm Gigger, which poses as a Microsoft update Gigger ([email protected]) attempts to spread itself to everyone in your Outlook Address Book, propagate via mIRC, and copy itself to computers connected on a local network Gigger then tries to delete all the files on your hard drive the next time the computer reboots Written in JavaScript, this 17K worm uses the Windows Scripting Host to execute on infected systems Although there have been few reports of it worldwide, Gigger has the potential to damage computers and overwhelm e-mail servers and currently ranks a 6 on the ZDNet Virus Meter

How it works

Gigger arrives as e-mail The subject line reads either "Outlook Express Update" or has the e-mail address of the recipient The body text says either "MSNSofware Co." or "Microsoft Outlook 98." The attached file is always mmsn_offline.htm

If a user opens the attached file, Gigger creates the following files in the root directory:

Bla.hta

B.htm

Gigger creates these files in the following directories:

C:\Windows\Samples\Wsh\Charts.js

C: \Windows\Samples\Wsh\Charts.vbs

C: \Windows\Help\Mmsn_offline.htm

Gigger also creates the following Registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout

HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0

and adds NAV DefAlert to the Registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in order to reformat the infected computer the next time it reboots

Gigger also adds to the Windows directory a script.ini file to spread by mIRC, and if the infected computer is connected to a network, Gigger will create copies of itself as:

\Windows\Start Menu\Programs\StartUp\Msoe.hta.

Code within the virus contains the text "This virus is donation from all Bulgarians."

Prevention

Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed the Security Update are not automatically protected from Gigger The Outlook Security Update does not block e-mail with HTM attachments Users can, however, disable the Windows Scripting Host For information regarding that, see "How to turn off Windows Scripting Host." In general, you should not open attached files in e-mail

Removal

A few antivirus software companies have updated their signature files to include this worm This will stop the infection upon contact and, in some cases, will remove an active infection from your system For more information, see McAfee, Sophos, Symantec, and Trend Micro

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by TomiD of Chandler-Gilbert Community College on January 15, 2002