My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

JS.Gigger.A

MEDIUM
MEDIUM
(N/A)

Symptoms

Existance of the following files:

  • C:\\bla.hta

  • C:\\b.htm

  • C:\\Windows\\Help\\mmsn_offline.htm

  • C:\\Windows\\Samples\\WSH\\charts.js

  • C:\\Windows\\Samples\\WSH\\charts.vbs

Removal instructions:

1. Make sure that you have the latest updates using BitDefender Live!;

2. Perform a full scan of your system (selecting, from the Action tab, the option \"Prompt
user for action\"). Choose to delete all the files infected with JS.Gigger.A.

3. Delete the line Echo y |═format c: from autoexec.bat if exists.

Analyzed By

Costin Ionescu
BitDefender Virus Researcher

Technical Description:

This worm spreads through e-mail, and local networks and also infects HTML and ASP files.

The format of an infected e-mail is:
From: < e-mail of an infected person >
Subject: Outlook Express Update
Body: MSNSofware Co.
or
Body: Microsoft Outlook 98
Attachment: mmsn_offline.htm

If the user opens the attached HTML page, will start the virus which will copy itself in locations shown above (in Symptoms section). Also the virus will try to send itself to all the contacts from the Outlook Address Book and from the Windows Address Book. To send e-mail it will try using Outlook and with the MAPI (Mailing Application Programming Interface) Handler (the default handler is Outlook Express).

If the virus cannot create several scripting objects it tries to write in c:\\autoexec.bat the line Echo y |═format c: which on Windows 95/98/ME will attempt to format the drive C: at the next restart.

The virus creates the registry key:
Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NAV DefAlert
with the value C:\\Windows\\Samples\\WSH\\charts.vbs which will execute that script at every restart.

To infect in local networks the virus will try to write in shares the file
C:\\Windows\\Start Menu\\Programs\\StartUp\\msoe.hta where it will copy itself.

Also the virus creates the script.ini file for mIRC to send the mmsn_offline.htm file to all the persons who will chat with the victim.