FANDOM


Email-Worm.JS.Gigger or Gigger is a JavaScript worm that overwrites critical system files with .htm codes.

Behavior

While installing into the system, the worm creates several files:

C:\Bla.hta

C:\B.htm

C:\Windows\Samples\Wsh\Charts.js

C:\Windows\Help\Mmsn_offline.htm

Then the worm finds its "already infected" sign in the registry, and if it doesn't exist, the worm creates it.

The infection presence sign is located in the following registry key:

HKEY_CURRENT_USER\Software\thegrave\badusers\v2.0

The worm finds all connected network drives and copies itself to them to the following location:

Windows\Start Menu\Programs\StartUp\Msoe.hta

Spreading via e-mail

The worm uses Outlook and Outlook Express to spread in infected e-mail messages.

Infected message contain the following properties:

Subject: Outlook Express Update
Body: MSNSoftware Co.
Attachment: mmsn_offline.htm

The worm also sends a message that contains the e-mail addresses of its recipients to an e-mail address, which seems to belong to the worm's author.

Spreading via IRC

The worm finds the installation folder of an mIRC client application, and creates there the file name "script.ini". After this, the worm sends itself to each user that joins the same IRC channel where the infected user is.

Filename sent through mIRC: "mmsn_offline.htm"

Payload

The worm adds the following line in the file Autoexec.bat:

ECHO y|format c:

This results in formatting disk C: upon computer restarting.

If the day of the month is the 1st, 5th, 10th, 15th or 20th, the worm deletes all files from all drives.

Videos

Email-Worm.JS03:09

Email-Worm.JS.Gigger

Sources

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.