Don't be taken in by Internet worm Gigger, which poses as a Microsoft update. Gigger (js.gigger.a@mm) attempts to spread itself to everyone in your Outlook Address Book, propagate via mIRC, and copy itself to computers connected on a local network. Gigger then tries to delete all the files on your hard drive the next time the computer reboots. Written in JavaScript, this 17K worm uses the Windows Scripting Host to execute on infected systems. Although there have been few reports of it worldwide, Gigger has the potential to damage computers and overwhelm e-mail servers and currently ranks a 6/10 on the ZDNet Virus Meter. How it works
Gigger arrives as email. The subject line reads either "Outlook Express Update" or has the email address of the recipient. The body text says either "MSNSofware Co." or "Microsoft Outlook 98." The attached file is always mmsn_offline.htm. If a user opens the attached file, Gigger creates the following files in the root directory: Bla.hta
B.htm Gigger creates these files in the following directories: C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm
Gigger also creates the following Registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
and adds NAV DefAlert to the Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in order to reformat the infected computer the next time it reboots. Gigger also adds to the Windows directory a script.ini file to spread by mIRC, and if the infected computer is connected to a network, Gigger will create copies of itself as: \Windows\Start Menu\Programs\StartUp\Msoe.hta. Code within the virus contains the text "This virus is donation from all Bulgarians." Prevention
Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed the Security Update are not automatically protected from Gigger. The Outlook Security Update does not block email with HTM attachments. Users can, however, disable the Windows Scripting Host. For information regarding that, see "How to turn off Windows Scripting Host". In general, you should not open attached files in email. Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see McAfee, Sophos, Symantec, and Trend Micro. For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum. Let the editors know what you think in the Mailroom. And read other letters.