ViRobot

Security Info

  • Security Center
  • Security Dictionary
  • Security Service

Threats DB

JS.Gigger

Aliases  JS.Gigger.A@mm(Symantec),JS/Gigger.a@MM(McAfee)
Typical Symptoms  Sends email,Formats HDD
Discovered  [korea] 0000-00-00
 [Foreign] 2002-01-09
Type  I-Worm ActiveField  Win32
Destory/Distribution
Origin  others Encryption  NO
Location  None Memory residence  NO
Scan engine needed
2002-01-14 [Able to detect & repair]
  • Free scan
  • Free trial download
Description
JS.Gigger is a script virus that is written in JavaScript. It spreads itself through email, mIRC and network shared folder with read/write access.

It emails itself to all addresses in the Microsoft Outlook Address Book with the following content:

Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm



JS.Gigger is a script virus that is written in JavaScript. It spreads itself through email, mIRC and network shared folder with read/write access.

It emails itself to all addresses in the Microsoft Outlook Address Book with the following content:

Subject: Outlook Express Update

Message: MSNSofware Co.

Attachment: Mmsn_offline.htm

Upon execution of the attachment, the virus infects HTM file and prompt you to run the ActiveX control.

If you choose Yes, it drops the following files in C drive:

B.HTM (9,596-byte)
BLA.HTA (9,612-byte)

If you select No, you will see a message and the virus is not activated.

This virus creates SamplesWsh folder and inserts the following files into it:

Charts.js (8,464-byte)
Charts.vbs (2,426-byte)

These files will not be executable on a Korean OS.

If you are connected to a network, the worm searches for shared network drives with read/write access and copies itself as "MSOE.HTA" to WindowsStart MenuProgramsStartUp.

To spread itself via mIRC, it drops a "Script.ini" file.  

"Script.ini" has the following text strings in it:

"This virus is donation from all Bulgarians"
"GraveDiggerV2.0"

It also infects files with the extension of '*.HTM', '*.HTML' and '*.ASP'.

This virus adds the value

Name: v2.0

to the registry key

HKEY_CURRENT_USERSoftwareTheGravebadUsers

It also adds the value

Name: NAV DefAlert
Data: (Windows folder)SAMPLESWSHChart.vbs

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

In addition to all addresses in the MS Outlook Address Book, JS.Gigger will also send an email to a specific address:

To. g_dv20@mail.bg

Subject: Outlook Express Update

Message: MSNSofware Co.


Removal Instructions
Delete and do not open any emails with the following characteristics:

Subject: Outlook Express Update

Message: MSNSofware Co.

Attachment: Mmsn_offline.htm

As a preventive measure, share folder with read access only.

As this virus infects HTM, HTML and ASP files, it is recommended that you install our anti-virus solution and scan the whole hard drive.

Download our trial version to repair infected system.


List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap