For Consumer

Virus Profile: JS/Gigger.a@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/10/2002
Date Added: 1/10/2002
Origin: Unknown
Length: 8,556
Type: Virus
Subtype: JavaScript
DAT Required: 4141
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Windows gives an error upon reboot, "Error in EXE file"
- Most files have been changed to 0 bytes in length
- Most files have the default Windows icon associated with them

Methods of Infection

This virus arrives as an email attachment or embedded JavaScript inside an email message.


JS.Gigger.A@mm (NAV)

Virus Characteristics

This threat is detected as VBS/Generic@MM with the 4141 DATs or newer. It arrives via Internet Relay Chat, or in an email message containing the following information:

Subject: Outlook Express Update
Body: MSNSofware Co.
Attachment: Mmsn_offline.htm

Opening the attachment infects the local system. The worm sends itself to all Microsoft Outlook Contacts and Windows Address Book entries using MAPI. Copies of the worm are created using different formats:

  • C:\B.HTM
  • C:\BLA.HTA
  • C:\WINDOWS\help\mmsn_offline.htm
  • %drive letter%\Start Menu\Programs\StartUp\msoe.hta (on network drives)
The C:\AUTOEXEC.BAT file is over written with Echo y|format c:

All SCRIPT.INI files are overwritten with mIRC script commands to send the virus to others when they join a channel that an infected user is on. All .ASP, .HTM, and .HTML files are overwritten with the virus code. The content of all other files is deleted if the day is 1,5,10,15, or 20, leaving them with 0 bytes of data.

The following registry keys are created:

  • HKEY_LOCAL_SYSTEM\Software\Microsoft\Windows\CurrentVersion\
    Run\NAV DefAlert=C:\WINDOWS\help\mmsn_offline.htm
  • HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
All Users:
Use current engine and DAT files for detection and removal.

If the virus executed on the system, the user may have to reinstall the operating system, all applications, and restore any documents from backup.

Additional Windows ME/XP removal considerations