14 January 2002 Security Advisory Last week, Symantec Corporation issued a warning regarding a new virus called JS.Gigger.A@mm JS.Gigger.A@mm is a worm written in JavaScript. It uses Microsoft Outlook and mIRC to spread. It attempts to delete all files on the computer and to format drive C if the computer is successfully restarted. Virus Definitions: January 9, 2002 Large scale e-mailing: Sends email to all Microsoft Outlook addresses Deletes files: All files Modifies files: Autoexec.bat to delete all files Subject of email: Outlook Express Update Name of attachment: mmsn_offline.htm Technical description: JS.Gigger.A@mm arrives as an email message that has the following characteristics: Subject: Outlook Express Update Message: MSNSofware Co. Attachment: Mmsn_offline.htm If the worm is executed, it does the following: It drops the following files: C:\Bla.hta C:\B.htm C:\Windows\Samples\Wsh\Charts.js C:\Windows\Help\Mmsn_offline.htm It infects .html files. It adds the line ECHO y|format c: to the Autoexec.bat file, so that if the computer is restarted, drive C is reformatted. Next., it drops a Script.ini file to spread itself by mIRC. Norton AntiVirus (NAV) detects the infected Script.ini as IRC.Worm.gen. The worm then creates the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0 and adds the value: NAV DefAlert %Windows%\SAMPLES\WSH\Chart.vbs. to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run NOTE: If the value NAV DefAlert already exists, it is modified by the worm. This value is used by some versions of Norton AntiVirus. In either case, removing it as directed in the removal instructions will not affect the ability of Norton AntiVirus to run or detect viruses. Next, if you are connected to a network, the worm searches network drives and copies itself as\Windows\Start Menu\Programs\StartUp\Msoe.hta Finally, it attempts to delete all files on the local hard drive. Recommendation: update your virus signatures from your antivirus software vendor and scan your disk. If you do not have antivirus software, buy one, it only costs about $20/year. Your privacy is important to me. No one on this list can see your email address. If you want to be removed from this list, just hit the reply button and include the word "remove " at the top of the message. Information Security advisories are now archived at http://www.workingarts.com/infosecarchives.html Fredo Martin Free Information Security Seminar -- details at www.workingarts.com