Don't be taken in by Internet worm Gigger, which poses as a Microsoft update. Gigger (js.gigger.a@mm) attempts to spread itself to everyone in your Outlook Address Book, propagate via mIRC, and copy itself to computers connected on a local network. Gigger then tries to delete all the files on your hard drive the next time the computer reboots. Written in JavaScript, this 17K worm uses the Windows Scripting Host to execute on infected systems. Although there have been few reports of it worldwide, Gigger has the potential to damage computers and overwhelm e-mail servers and currently ranks a 6 on the ZDNet Virus Meter.
How it works
Gigger arrives as e-mail. The subject line reads either "Outlook Express Update" or has the e-mail address of the recipient. The body text says either "MSNSofware Co." or "Microsoft Outlook 98." The attached file is always mmsn_offline.htm.
If a user opens the attached file, Gigger creates the following files in the root directory:
Bla.htaB.htm
Gigger creates these files in the following directories:
C:\Windows\Samples\Wsh\Charts.jsC: \Windows\Samples\Wsh\Charts.vbsC: \Windows\Help\Mmsn_offline.htm
Gigger also creates the following Registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\TimeoutHKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
and adds NAV DefAlert to the Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in order to reformat the infected computer the next time it reboots.
Gigger also adds to the Windows directory a script.ini file to spread by mIRC, and if the infected computer is connected to a network, Gigger will create copies of itself as:
\Windows\Start Menu\Programs\StartUp\Msoe.hta.
Code within the virus contains the text "This virus is donation from all Bulgarians."
Prevention
Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed the Security Update are not automatically protected from Gigger. The Outlook Security Update does not block e-mail with HTM attachments. Users can, however, disable the Windows Scripting Host. For information regarding that, see "How to turn off Windows Scripting Host." In general, you should not open attached files in e-mail.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see McAfee, Sophos, Symantec, and Trend Micro.
