Re: happy virus
- To:
- Subject: Re: happy virus
- From: R* R*
- Date: Thu, 11 Mar 1999 23:38:56 -0500
Ron and the rest,
Here is some info on the Happy99 worm that I picked up in a newsgroup
:
"This is like a virus except it attaches itself to emails and can be
resent by
an infected person without the sender knowing. Your best friend could
unknowingly send you this with a regular email. I know, I received it. The
info that follows is from Symantec's web site.
Happy99.exe
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Keys: Trojan Horse, Worm
Description:
This is a worm program, NOT a virus. This program has reportedly been received
through email spamming and USENET newsgroup posting. The file is usually named
HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy New Year
1999 !!" showing a firework display to disguise its other actions. The program
copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM
directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when a
connect or send activity is detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a
new article with UUENCODED HAPPY99.EXE inserted into the email or article. It
then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EX
E
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
delete the downloaded file, usually named HAPPY99.EXE
Safe Computing:
This worm and other trojan-horse type programs demonstrate the need to
practice safe computing. One should not execute any executable-file attachment
(i.e. EXE, SHS, MS Word or MS Excel file) that comes from an email or a
newsgroup article from an unknown or a untrusted source.
Norton AntiVirus users can protect themselves from this worm by downloading
the virus definitions updates released on Jan 28, 1999 or later either through
LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Raul K. Elnitiarta
January 28, 1999"
an infected person without the sender knowing. Your best friend could
unknowingly send you this with a regular email. I know, I received it. The
info that follows is from Symantec's web site.
Happy99.exe
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Keys: Trojan Horse, Worm
Description:
This is a worm program, NOT a virus. This program has reportedly been received
through email spamming and USENET newsgroup posting. The file is usually named
HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy New Year
1999 !!" showing a firework display to disguise its other actions. The program
copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM
directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when a
connect or send activity is detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a
new article with UUENCODED HAPPY99.EXE inserted into the email or article. It
then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EX
E
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
delete the downloaded file, usually named HAPPY99.EXE
Safe Computing:
This worm and other trojan-horse type programs demonstrate the need to
practice safe computing. One should not execute any executable-file attachment
(i.e. EXE, SHS, MS Word or MS Excel file) that comes from an email or a
newsgroup article from an unknown or a untrusted source.
Norton AntiVirus users can protect themselves from this worm by downloading
the virus definitions updates released on Jan 28, 1999 or later either through
LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Raul K. Elnitiarta
January 28, 1999"
Hope this helps...
********************************************************************
Rock
r*@atou.qc.ca
"Of all the things I've lost, I miss my mind the
most."
********************************************************************
- Prev by Date: Re: Virus Warning
- Next by Date: Re:picture on Web
- Prev by thread: happy virus
- Next by thread: Re: happy virus