do you have any info on a Gigger Worm which poses as a Microsoft update?
This question was answered on January 15, 2002. Much of the information contained herein may have changed since posting.
This is a new worm and uncommon The following is an article I found during my research The article is located at http://www.zdnet.com/zdnn/stories/news/0,4586,2838401,00.html?chkpt=zdnnp1tp02
Gigger 'update' worm attacks hard drive
By Robert Vamosi
ZDNet Reviews
January 11, 2002 4:07 PM PT
This JavaScript worm poses as a Microsoft Outlook upgrade
Don't be taken in by Internet worm Gigger, which poses as a Microsoft update Gigger (js.gigger.a@mm) attempts to spread itself to everyone in your Outlook Address Book, propagate via mIRC, and copy itself to computers connected on a local network Gigger then tries to delete all the files on your hard drive the next time the computer reboots Written in JavaScript, this 17K worm uses the Windows Scripting Host to execute on infected systems Although there have been few reports of it worldwide, Gigger has the potential to damage computers and overwhelm e-mail servers and currently ranks a 6 on the ZDNet Virus Meter
How it works
Gigger arrives as e-mail The subject line reads either "Outlook Express Update" or has the e-mail address of the recipient The body text says either "MSNSofware Co." or "Microsoft Outlook 98." The attached file is always mmsn_offline.htm
If a user opens the attached file, Gigger creates the following files in the root directory:
Bla.hta
B.htm
Gigger creates these files in the following directories:
C:\Windows\Samples\Wsh\Charts.js
C: \Windows\Samples\Wsh\Charts.vbs
C: \Windows\Help\Mmsn_offline.htm
Gigger also creates the following Registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
and adds NAV DefAlert to the Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in order to reformat the infected computer the next time it reboots
Gigger also adds to the Windows directory a script.ini file to spread by mIRC, and if the infected computer is connected to a network, Gigger will create copies of itself as:
\Windows\Start Menu\Programs\StartUp\Msoe.hta.
Code within the virus contains the text "This virus is donation from all Bulgarians."
Prevention
Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed the Security Update are not automatically protected from Gigger The Outlook Security Update does not block e-mail with HTM attachments Users can, however, disable the Windows Scripting Host For information regarding that, see "How to turn off Windows Scripting Host." In general, you should not open attached files in e-mail
Removal
A few antivirus software companies have updated their signature files to include this worm This will stop the infection upon contact and, in some cases, will remove an active infection from your system For more information, see McAfee, Sophos, Symantec, and Trend Micro
About the author
Posted by TomiD of Chandler-Gilbert Community College on January 15, 2002
Need Help with this Issue?
We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!