by ZDnet / Yahoo News

Don't be taken in by Internet worm Gigger, which poses as a Microsoft update. The worm attempts to delete all the hard drive files upon reboot. This JavaScript worm poses as a Microsoft Outlook upgrade.

Don't be taken in by Internet worm Gigger, which poses as a Microsoft update. Gigger (js.gigger.a@mm) attempts to spread itself to everyone in your Outlook Address Book, propagate via mIRC, and copy itself to computers connected on a local network. Gigger then tries to delete all the files on your hard drive the next time the computer reboots. Written in JavaScript, this 17K worm uses the Windows Scripting Host to execute on infected systems. Although there have been few reports of it worldwide, Gigger has the potential to damage computers and overwhelm e-mail servers and currently ranks a 6 on the ZDNet Virus Meter.

How it works

Gigger arrives as e-mail. The subject line reads either "Outlook Express Update" or has the e-mail address of the recipient. The body text says either "MSNSofware Co." or "Microsoft Outlook 98." The attached file is always mmsn_offline.htm.
                      If a user opens the attached file, Gigger creates the
following files in the root
                      directory:

                           Bla.hta
                           B.htm

  Gigger creates these files in the following directories:

       C:\Windows\Samples\Wsh\Charts.js
       C: \Windows\Samples\Wsh\Charts.vbs
       C: \Windows\Help\Mmsn_offline.htm

  Gigger also creates the following Registry keys:

       HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
       HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0

  and adds NAV DefAlert to the Registry key

       HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in
order to reformat the infected
  computer the next time it reboots.

  Gigger also adds to the Windows directory a script.ini file to spread by
mIRC, and if the infected
  computer is connected to a network, Gigger will create copies of itself as:

       \Windows\Start Menu\Programs\StartUp\Msoe.hta.

  Code within the virus contains the text "This virus is donation from all
Bulgarians."

Prevention

Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed the Security Update are not automatically protected from Gigger. The Outlook Security Update does not block e-mail with HTM attachments. Users can, however, disable the Windows Scripting Host. For information regarding that, see "How to turn off Windows Scripting Host." In general, you should not open attached files in e-mail.

Removal

A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see McAfee, Sophos, Symantec, and Trend Micro.

Back To The Study