1. /
  2. Security Response/
  3. JS.Gigger.A@mm

JS.Gigger.A@mm

Risk Level 2: Low

Discovered:
January 9, 2002
Updated:
January 11, 2002 6:35:30 PM
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
JS.Gigger.A@mm is a mass mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book. It typically arrives as an email message with the following properties:
Subject: Outlook Express Update OR sender's email address

Attachment: Mmsn_offline.htm OR Reports

Message Body: MSNSofware Co. OR Microsoft Outlook 98

When the attachment is executed, it creates the following files:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Help\Mmsn_offline.htm

Gigger will also overwrite .html files on the local system with its code in order to try to infect users viewing the pages.

It then adds the following line to the autoexec.bat file in order to format the C drive when the system is rebooted (note that this will only occur on Windows 9x systems):
ECHO y|format c:

As a further payload, if the day of the month is the 1st, 5th, 10th, 15th or 20th, Gigger will replace all files on all drives with 0 byte replacements.

It will also create a script.ini file in the mIRC directory if mIRC is installed on the system. This script file will cause the worm to attempt to spread to other users on the same IRC channels.

Gigger will then create the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAV DefAlert = C:\WINDOWS\help\mmsn_offline.htm

Gigger is also network aware and will attempt to copy itself to any network shares as \Windows\Start Menu\Programs\StartUp\Msoe.hta.

The worm will also change Outlook settings so that all outgoing mail messages are in HTML format. It then embeds its code into outgoing messages.

When the mass mailing occurs, Gigger also sends an email message, presumably to its author, with a list of the email addresses it was sent to.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver