Article

Gigger cleanup

searchSecurity

JS.Gigger.A@mm is a Javascript worm that spreads via Outlook and mIRC chat clients. Its destructive payload takes aim at all files stored on an infected computer and tries to reformat the machine's C drive.

According to an alert from Symantec, the infected e-mail arrives with a: subject line: Outlook Express Update; message: MSNSoftware Co.; and attachment: Mmsn_offline.htm

Administrators are urged to look for the following files to cleanup Gigger:

C:\Bla.hta
C:\B.htm 
C:\Windows\Samples\Wsh\Charts.js 
C:\Windows\Help\Mmsn_offline.htm

Administrators should also look for the following line in the Autoexe.bat file:

 ECHO y|format C:

That line will reformat the computer's C drive if it is restarted.

Gigger will also drop a script.ini file in order to spread itself by mIRC chat clients. The worm then creates the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0

Gigger also adds the value: NAV DefAlert to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Gigger also attempts to spread via network connections by searching network drives and copying itself as:

\Windows\Start Menu\Programs\StartUp\Msoe.hta

It will then attempt to delete all files on the local hard drive.

    Requires Free Membership to View


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: