Posted by The Real DaveH (64.252.3.16) on January 14, 2002 at 06:40:30:
CSRT Update - eSafe Protects You!
=================================
JS.Gigger Vandal
Alias: JS.Gigger.a@mm, VBS_GIGGER.A, IRC_GIGGER.A, GIGGER.A, JS/Gigger-A
Updated on: 14 January, 2001
Threat Level: Medium
Arrival Form: Email, Windows shares, IRC chat
Type: JavaScript, Worm
Platforms: 95, 98, ME, NT, 2000
Damage: Modify files, Delete files
Summary
=======
JS.Gigger is an email spreading vandal with a potentially dangerous payload
damage. It could delete files on the computer and format the hard drive.
The vandal arrives by email as an attached HTML file It can also infect via
network shares and IRC chat programs.
Analysis
========
JS.Gigger is an email spreading vandal with a potentially dangerous payload
damage. This JavaScript vandal could delete files on the computer and
format the hard drive. The vandal arrives by email as an attached HTML file
It can also infect via network shares and IRC chat programs. The email
infection can propagate via Outlook, Outlook Express or an internal MAPI
based email engine.
The arriving email will have the following characteristics:
Subject: Outlook Express Update (or email of the recipient)
Message body:
MSNSofware Co.
or
Microsoft Outlook 98
Attached file: MMSN_OFFLINE.HTM
Malicious activity
==================
1. Create some or all of the files:
MMSN_OFFLINE.HTM - The complete vandal code.
CHARTS.VBS - Malicious payload code of the vandal.
CHARTS.JS - Same as the HTM file.
BLA.HTA, B.HTM, T.TXT, TEST.TXT - Temporary files created during the
execution of the vandal.
SCRIPT.INI - infects mIRC chat program. This file is created in every
directory.
MSOE.HTA
2. It will add the registry key
HKEY_CURRENT_USER\Software\TheGrave\badUsers"v2.0"
3. It will add the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "NAV
DefAlert"=Charts.vbs
This will allow it to run on every restart.
4. It modifies the Outlook Express registry key HKEY_CURRENT_USER\
Identities\ID\Software\Microsoft\Outlook Express\5.0\Mail\ and change the Outlook Express settings so it will send a copy
of the virus code embedded as stationary in all outgoing email messages.
5. It will send copies of itself to names in Windows address books, Outlook
and Outlook Express address books.
6. It infect HTML pages with the extensions .HTM, .HTML and .ASP, which are
located on all local and network drives.
7. It searches for files on all connected drives, and if the date is 5, 10,
15 or 20, it resets it size to zero, which has the same effect as deleting
it.
8. It can add the line:
Echo y|format C:
to the AUTOEXEC.BAT file. This will format drive C: on the next reboot.
9. The mIRC infection script will attempt to infect other users on any
channel the infected computer enters.
eSafe Users
===========
eSafe Desktop and Enterprise users are protected from this vandal with
Sandbox II and System Protector.
eSafe Gateway and eSafe Mail users are advised to add the file
MMSN_OFFLINE.HTM to the "Known vandals" list. This was also added
automatically in the eSafe Proactive lists update. You can use the "Update
now" button in the administrators menu. If the option to "Update lists" is
checked, this list update is done automatically.
eSafe Gateway and eSafe Mail users are also advised to use the SmartScript
filtering to remove malicious scripts from email.
A full vandal/virus table update will be released shortly.
******************************* IMPORTANT ! **********************************
The content of this email and any attachments are confidential and intended
for the named recipient(s) only.
If you have received this email in error please notify the sender immediately.
Do not disclose the content of this message or make copies.
This email was scanned by eSafe Mail for viruses, vandals and other
malicious content.
******************************************************************************
--------------------------------------------------------------------------------
For any eSafe related questions, please contact esafe.support@ealaddin.com
--------------------------------------------------------------------------------
This email is being sent by Aladdin Knowledge Systems Inc. (www.eAladdin.com)
You have received this message because our records indicate that you have
requested this information. Our mailing list is for the exclusive use of
Aladdin Knowledge Systems and is neither sold nor given to third parties.
If you no longer wish to receive emails from Aladdin, or your email address
has been added to our list without your consent, please unsubscribe by visiting:
http://www.ealaddin.com/maillist/maillist_signin.asp
Thank you.
--------------------------------------------------------------------------------