A message distributing JS/Gigger@mm can be identified by the following characteristics:
The attachment is called: Mmsn_offline.htm
The Subject line is: Outlook Express Update
and the message contains the text: MSNSoftware Co.
If this worm is started it copies the following files to the infected computer:
c:\Bla.hta
c:\B.htm
c:\Windows\Samples\Wsh\Charts.js
c:\Windows\Help\Mmsn_offline.htm
Then it copies an Script.ini file to the system in order to be able to spread itself via mIRC.
Then it adds ECHO y|format c: to the Autoexec.bat file, causing drive c: to be formatted next time the infected computer is started.
When these steps are completed JS/Gigger.A@mm created these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
It also adds NAV DefAlert to the register key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Gigger then searches for network drives if the infected computer is connected to a network. If found it copies itself to the network drives as \Windows\Start Menu\Programs\Startup\Msoe.hta.
After these operations the worm tries to delete all files on the local hard drive
JS/Gigger.A@mm is detected by F-Prot Antivirus™ 3.11b using signature files from January 11th or later. | 