TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
JS_GIGGER.A
Overview
Solution
Technical Details

Size of malware: 17,184 Bytes

Initial samples received on: Jan 10, 2002

Payload 1: Formats Hard Disk

Payload 2: Deletes Files

Trigger condition 1: Upon execution

Details:

This mass-mailing JavaScript, requires that the WSCRIPT.EXE file or the CSCRIPT.EXE file is installed on the target system. By default, WSCRIPT.EXE and CSCRIPT.EXE are installed with Windows and are part of the Windows Scripting Host.

It creates the following files:

  • MMSN_OFFLINE.HTM – This is the main virus code used by this malware for emailing, and is located in the %Windows%\Help folder.
  • CHARTS.VBS, CHARTS.JS – The VBS file contains the secondary virus code that contains the payload, infection routine, and mass-mailing routine. The JS file is an exact copy of the .HTM file. This is located in the %Windows%\Samples\WSH folder.
  • BLA.HTA, B.HTM, T.TXT, TEST.TXT – These are all temporary files that this malware create. The first two files (BLA.HTA and B.HTM) are its exact copies in .HTA and .HTM format. The TEST.TXT file is a backup of the Windows Address Book.
  • SCRIPT.INI – This file is created in all folders of the infected user's entire drive. It contains the mIRC code to send itself when the user joins a channel.
  • MSOE.HTA – This file is dropped in the Startup folder of Windows only when it finds a network shared drive with write access to it.

Take note that if the folders where this malware drops the files do not exist on the system, the copy operation fails and some of its functionalities such as, emailing, infection of files, and the payload, do not run.

The worm uses the following three methods of emailing:

  1. Microsoft Outlook Express
    It modifies Outlook Express mail settings so that every message that the infected user composes are in HTML format. This malware modifies the registry as follows to embed its virus code in the HTML-formatted message:

    HKEY_CURRENT_USER\Identities\ID\Software\
    Microsoft \Outlook Express\5.0\Mail

    Note that ID is a unique key usually in the format "{xxx-xxx-xxx-xxx}" where xxx are hex numbers.

    Inside the registry, it adds the items Compose Use Stationery, Message Send HTML, and Stationery Name. The Stationary Name points to the virus codes which tells Outlook Express to use this HTML file as its message template when composing a new message.

  2. Microsoft Outlook
    Upon execution, the worm sends email to all addreses listed in the Microsoft Outlook address book. Note that the address book in Microsoft Outlook and Microsoft Outlook Express are different. The details of the email are as follows:

    Subject: Outlook Express Update
    Message Body:

    MSNSofware Co.

    Attachment: MMSN_OFFLINE.HTM

    In addition to sending an infected email to the email recipients, it also sends an email to the author, but without the attachment. The author’s email address is g_dv20@mail.bg
  3. MAPI
    This allows this malware to propagate even if no mail clients are installed on the infected user's system. It uses MAPI, which is native to Windows.

It sends two types of email. The first one takes addresses from the Windows Address Book. The second type takes addresses from Microsoft Outlook’s address book and consists of the following:

Subject: (email address of recipient)
Message Body:

Microsoft Outlook 98

Attachment:MMSN_OFFLINE.HTM

Note that the name of the attachment displayed in the email is "Reports" rather than the filename itself. This is one way of tricking the user into running it.

In addition to sending an infected email, this malware also sends an email to the author but without the attachment.

It searches all drives (fixed drives and network drives) with write access for the following files and thereafter infects these files. To infect, it appends itself at the end of the file:

  • .HTML (HTM)
  • .ASP

It does not infect previously infected files.

This malware has the following payloads:

  1. During infection
    On the system dates, 1, 5, 10, 15 or 20, it resets the attribute of the files it goes through in the infected system's Hard Drive and network drives. It deletes the contents of the files so that these become zero in size.
  2. During execution
    While running, it attempts to create different ActiveX objects (e.g. Microsoft Outlook). If it fails, it modifies the AUTOEXEC.BAT with this command so that upon boot up, it formats the Drive C:\:

    Echo y|format C:

It also adds its virus signature in this registry:

HKEY_CURRENT_USER\Software\TheGrave\badUsers"v2.0"

It also adds this registry entry to enable the worm to execute again:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \
CurrentVersion\Run "NAV DefAlert" = Charts.vbs


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.