Security Management Strategies for the CIOJS.Gigger.A@mm is a Javascript worm that spreads via Outlook and mIRC chat clients. Its destructive payload takes aim at all files stored on an infected computer and tries to reformat the machine's C drive.
According to an alert from Symantec, the infected e-mail arrives with a: subject line: Outlook Express Update; message: MSNSoftware Co.; and attachment: Mmsn_offline.htm
Administrators are urged to look for the following files to cleanup Gigger:
C:\Bla.hta C:\B.htm C:\Windows\Samples\Wsh\Charts.js C:\Windows\Help\Mmsn_offline.htm
Administrators should also look for the following line in the Autoexe.bat file:
ECHO y|format C:
That line will reformat the computer's C drive if it is restarted.
Gigger will also drop a script.ini file in order to spread itself by mIRC chat clients. The worm then creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
Gigger also adds the value: NAV DefAlert to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Gigger also attempts to spread via network connections by searching network drives and copying itself as:
\Windows\Start Menu\Programs\StartUp\Msoe.hta
It will then attempt to delete all files on the local hard drive.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Join the conversationComment
Share
Comments
Results
Contribute to the conversation