- To: v*@mLists.net, b*@nb.net
- Subject: Re: Lightning Bug Pattern?
- From: r* m* m*
- Date: Thu, 11 Mar 1999 13:05:44 -0600
Bruce you need to clean the Happy99.exe vius off of your computer!
nformation about the happy99, ska Trojan:
Happy99 is a Win32 based Trojan program. When this program is executed
it will display some fireworks. Apart from
the fireworks display this program will do some other activity in the
background without the user's permission. In the
background this program will create two files SKA.EXE and SKA.DLL. It
will alter WSOCK32.DLL to put its code
into that file and keep the original file as WSOCK32.SKA. It can not
modify the WSOCK32.DLL file if it is in use. In
such a case this program will add an entry to the Windows Registry to
run SKA.EXE the next time the computer is
booted so that it can do these modifications. The size of this trojan
file is 10000 bytes.
You will not get infected by Happy99 merely by downloading the trojan
file. You will have to execute it to get
infected.
The modified WSOCK32.DLL has routines to detect the email and newsgroup
postings made by the user. It will send
a copy of the SKA.EXE file renamed as happy99.exe to every user or
newsgroup to whom the user has sends an email.
Each recipient will get the email only once and the trojan will not send
repeat email to the same user. It will send a
separate email retaining the subject of the first email with the file as
an attachment. The trojan also maintains the file
LISTE.SKA which contains the list of all email addresses and newsgroups
to which this file has been sent. The unique
function of this trojan is that it can spread on its own.
Happy99 first apeared in January 1999 and it is reported to have
affected a lot of users.
Other names of happy99:
This trojan is also known as win32.ska.a, ska, wsock32.ska and ska.exe.
What is happy99? Troran, Virus or Worm?
This program can only be classified as a Trojan. It is not a virus as it
does not replicate itself. It does not attach itself
any other file or program. It is also not a worm as even though it can
spread on its own, it needs to be executed to get
control. A worm is capable of spreading and infecting the target
computer on its own. Happy99/Ska is a trojan with
the capability to distribute itself.
Removing happy99 from your computer:
You can also remove this trojan manually from your computer. To do that,
first check the WINDOWS\SYTEM folder
for the presence of these files.
1. SKA.EXE
2. SKA.DLL
3. WSOCK32.SKA
If you find these files then you have been attacked by the Happy99
Trojan. To remove this trojan do the following:
1. Delete SKA.EXE, SKA.DLL and WSOCK32.DLL
2. Rename WSOCK32.SKA as WSOCK32.DLL
Make sure that you have WSOCK32.SKA file before deleting WSOCK32.DLL and
ensure that you have
renamed this file properly. You may have to close your Browser, Email
software, etc. to delete and rename the
DLL files.
Someone recently posted an attachment of Happy99.exe. Do not run the
attachment! Just viewing the message without running
the attachment is harmless, but if you run the attachment then you
become infected with the Happy99 Internet worm.
What is the Happy99?
It is an executable file. Once it is activated (i.e. executed), and
until it is
removed, whenever you post a message to someone, it will also initiate
another post to the same address(es) with itself as an attachment. The
message will appear as it was posted from you. This is the way this
Internet worm spreads itself.
As a matter of policy people should not execute executable files,
unless
they are from known sources, but as the message appears to come
from a known source (someone who posted another message to you,
so that the person might be well known and trusted by you) people
make the mistake and execute the Happy99.
All virus databases already mentioned this worm. You may, for example
look for more info on the Happy99 on:
http://www.DataFellows.com/v-descs/ska.htm
If someone "posted" this attachment to you, but you were careful and
did not get infected, it is recommended to worn the person.
If your computer got infected, you may use the F-Prot antivirus
program
(free for private use in order to clean it, and then post a notice to
the
person who "posted" the attachment, and also to the people who got a
message from you during the time you were infected.
The F-Prot program can be found on:
ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/fp-304a.zip
I believe that other Antivirus software are also able to remove it.
You MAY use this message AS A WHOLE to warn other people but under
any circumstances, DO NOT forward this message after 31 March 1999.
Virus warnings have the tendency to spread long after the actual
viruses
disappear.
To err is human, to forgive canine.
-Anonymous-
Robert Morger_Boerne_Tx.
Need fly tying information Join <FLYTIE@ONELIST.COM>
Go to Http://www.onelist.com become a member and join the fun
___________________________________________________________________
You don't need to buy Internet access to use free Internet e-mail.
Get completely free e-mail from Juno at http://www.juno.com/getjuno.html
or call Juno at (800) 654-JUNO [654-5866]
