Printer Friendly Page

Discovered: January 09, 2002
Updated: January 11, 2002 6:35:30 PM
Systems Affected: Windows

JS.Gigger.A@mm is a mass mailing worm that sends itself to all email addresses in the user's Outlook address book. It also uses a script file to spread itself through IRC if the mIRC client is installed.

Gigger also adds a line to the autoexec.bat file that will format the C drive on the next system reboot.

Technical Description

JS.Gigger.A@mm is a mass mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book. It typically arrives as an email message with the following properties:
Subject: Outlook Express Update OR sender's email address

Attachment: Mmsn_offline.htm OR Reports

Message Body: MSNSofware Co. OR Microsoft Outlook 98

When the attachment is executed, it creates the following files:

Gigger will also overwrite .html files on the local system with its code in order to try to infect users viewing the pages.

It then adds the following line to the autoexec.bat file in order to format the C drive when the system is rebooted (note that this will only occur on Windows 9x systems):
ECHO y|format c:

As a further payload, if the day of the month is the 1st, 5th, 10th, 15th or 20th, Gigger will replace all files on all drives with 0 byte replacements.

It will also create a script.ini file in the mIRC directory if mIRC is installed on the system. This script file will cause the worm to attempt to spread to other users on the same IRC channels.

Gigger will then create the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAV DefAlert = C:\WINDOWS\help\mmsn_offline.htm

Gigger is also network aware and will attempt to copy itself to any network shares as \Windows\Start Menu\Programs\StartUp\Msoe.hta.

The worm will also change Outlook settings so that all outgoing mail messages are in HTML format. It then embeds its code into outgoing messages.

When the mass mailing occurs, Gigger also sends an email message, presumably to its author, with a list of the email addresses it was sent to.