- January 9, 2002
- January 11, 2002 6:35:30 PM
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
JS.Gigger.A@mm is a mass mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book. It typically arrives as an email message with the following properties:
Subject: Outlook Express Update OR sender's email address
Attachment: Mmsn_offline.htm OR Reports
Message Body: MSNSofware Co. OR Microsoft Outlook 98
When the attachment is executed, it creates the following files:
Gigger will also overwrite .html files on the local system with its code in order to try to infect users viewing the pages.
It then adds the following line to the autoexec.bat file in order to format the C drive when the system is rebooted (note that this will only occur on Windows 9x systems):
ECHO y|format c:
As a further payload, if the day of the month is the 1st, 5th, 10th, 15th or 20th, Gigger will replace all files on all drives with 0 byte replacements.
It will also create a script.ini file in the mIRC directory if mIRC is installed on the system. This script file will cause the worm to attempt to spread to other users on the same IRC channels.
Gigger will then create the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAV DefAlert = C:\WINDOWS\help\mmsn_offline.htm
Gigger is also network aware and will attempt to copy itself to any network shares as \Windows\Start Menu\Programs\StartUp\Msoe.hta.
The worm will also change Outlook settings so that all outgoing mail messages are in HTML format. It then embeds its code into outgoing messages.
When the mass mailing occurs, Gigger also sends an email message, presumably to its author, with a list of the email addresses it was sent to.