|
 |
|
 |
| Tuesday, September 07, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:18 PM |
|
| Early this morning, we learned of a new, somewhat novel, and potentially very dangerous virus threat. Generically identified as the "Gigger" worm, this virus masquerades as an update for Microsoft Outlook Express. However, its real purpose is to attempt to format your hard drive the next time you reboot your computer and to spread itself to other computers on your network and beyond.
As is usual for recent viruses, this one spreads by using the Outlook address book. In addition, it tries to spread through mIRC channels and by installing itself on mapped network drives. Though there have been few reported incidents (so far), this worm has potential to do serious damage and to overwhelm mail and mIRC chat servers.
How to Protect Yourself
As we shall continue to recommend until we're all three blue in the face, the best protection is to avoid opening unexpected attachments, even from known or trustworthy sources.
Since this virus arrives as a plain HTML document, the Outlook Security Subsystem in Outlook 2002 and Outlook 2000 SR-2 will not intercept it. In other words, they offer you no protection whatsoever. Having your Outlook or Outlook Express security settings set to Restricted Zone should offer you some protection. You should have your security settings configured this way all the time anyway.
How to Identify the Virus
According to the Network Associates (McAfee) AVERT Web site, the message has the following characteristics:
Subject: Outlook Express Update
Body: MSNSofware Co.
Attachment: Mmsn_offline.htm
All of the sources that I reviewed for this article agree about the subject and the name of the attachment.
What to Do If You Suspect You Have Been Infected
If you suspect your machine has become infected:
Do not turn your machine off!
Check for signs of infection; the easiest to spot is that your AUTOEXEC.BAT file contains the command "ECHO y|format c" whose purpose is to reformat your hard drive the next time you boot up.
Look for files dropped by the virus:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Help\Mmsn_offline.htm
Though there are additional signs of infection, the above should be sufficient to alert you.
Unless you are confident of what you are doing, you should seek professional assistance promptly if you think your machine is infected.
What to Do If You Have Been Infected
See http://securityresponse.symantec.com/avcenter/venc/data/pf/js.gigger.a@mm.html. on the Symantec Web site for clear step by step removal instructions.
Windows ME users should also refer to http://vil.nai.com/vil/virusSummary.asp?virus_k=99301#RemovalInstructions for additional information about repairing the backup directory maintained by that version of Windows. See the "Additional Windows ME Info" topic.
The F-Secure Web site has the following important additional information:
The attachment name is set to "Reports", which is the reason why some email clients may show the attachment as "Reports" instead of "mmsn_offline.htm".
The worm also goes through all hard and mapped network drives, appending the worm code to each file that has extension ".htm", ".html" or ".asp".
Please see the F-Secure article at http://www.fsecure.com/v-descs/gigger.shtml for more details. Their article states further:
If the day of the month is 1st, 5th, 10th, 15th or 20th, the worm replaces all files from all drives with a zero byte files, destroying their original content.
Though neither of the other sites mentions this specifically, F-Secure has a history of being unusually detailed in its analysis of the effects of viruses.
Trend Micro has a removal tool. Please see http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_GIGGER.A for further details. You should probably get expert assistance if you decide to use the Trend removal tool.
Automatic Detection Info
Recent versions of good virus scanners should detect the "Gigger" worm as a generic. See the list below for your virus scanner.
McAfee VirusScan detects the worm as JS/Gigger.a@MM with engine version 4.0.70 or later and DAT file 4141 or later.
Norton Anti-Virus detects the virus as JS.Gigger.A@mm, though their write-up is mum about how recent your signatures must be.
F-Secure Anti-Virus detects the Gigger worm by heuristics and generic scanning. They don't mention anything about minimum required software or data file versions.
Computer Associates has several products. See the table at http://www3.ca.com/virus/virus.asp?ID=10760 for details on InoculaIT, IPE, Vet, and the e-Trust product line.
Trend Micro recommends updating to their latest pattern files. Please review the chart and links at http://www.antivirus.com/download/pattern.asp.
That concludes this ViruWarning alert.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|