A message distributing JS/Gigger@mm can be identified by the following characteristics:
The attachment is called: Mmsn_offline.htm
The Subject line is: Outlook Express Update
and the message contains the text: MSNSoftware Co.
If this worm is started it copies the following files to the infected computer:
Then it copies an Script.ini file to the system in order to be able to spread itself via mIRC.
Then it adds ECHO y|format c: to the Autoexec.bat file, causing drive c: to be formatted next time the infected computer is started.
When these steps are completed JS/Gigger.A@mm created these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
It also adds
NAV DefAlert to the register key:
Gigger then searches for network drives if the infected computer is connected to a network. If found it copies itself to the network drives as \Windows\Start Menu\Programs\Startup\Msoe.hta.
After these operations the worm tries to delete all files on the local hard drive
JS/Gigger.A@mm is detected by F-Prot Antivirus™ 3.11b using signature files from January 11th or later.