Re: Virus infected program - Happy99.exe\

To: l*@execpc.com (Don Martinson)
Subject: Re: Virus infected program - Happy99.exe\
From: C* P* L*
Date: Sun, 15 Aug 1999 20:32:16 -0500 (CDT)

> I realize this is OT, but I just received an e-mail attachment through this
> list called Happy99.exe.
> It was received from Evano & LB <Pblob@lara.on.ca>
> 
> This is a virus infected program!  Please see this site run by IBM for more
> information on the damage that it can cause:
> http://www.av.ibm.com/BreakingNews/VirusAlert/Happy/
> 
> This is one of the reasons that attachments are generally banned from
> e-mail lists.

For what it's worth, filters that I have set up are *supposed* to block
HAPPY.EXE, melissa, Mad Cow, papa, et al so that they don't go to the
list, but it (obviously) failed this time through.  

Here's the message that's supposed to go back to the sender (well, this
is the one from the systems at NCSA -- I grabbed it since I know that
it works and was easier to get to.  :)

For those of you technically interested, the key identifier for HAPPY.EXE
is the inclusion of an 'X-Spanska: yes' header.  If that header exists,
the email is tainted with a trojaned attachment.

Chris

----------------------------------------------------------------------
Hi,

   It looks like your system is infected by a trojan horse called
   HAPPY.EXE, and tried to send a copy of itself to an NCSA mailing
   list or address as an attachment.  At some point you probably ran a
   program under the same name and saw a nice fireworks display on your
   monitor, but it also infected your system.

   Fortunately, the filters in place on the NCSA servers caught the
   message before it was sent out to everyone, so no harm was done.
   However, any messages that you send to other lists or people not at
   NCSA will probably get through.

   There's some instructions on removing the trojan horse at:

      http://www.pspl.com/trojan_info/win32/happy99.htm

      "You can also remove this trojan manually from your computer. To
      do that, first check the WINDOWS\SYTEM folder for the presence
      of these files.

         1. SKA.EXE
         2. SKA.DLL
         3. WSOCK32.SKA

      If you find these files then you have been attacked by the
      Happy99 Trojan. To remove this trojan do the following:

         1. Delete SKA.EXE, SKA.DLL and WSOCK32.DLL
         2. Rename WSOCK32.SKA as WSOCK32.DLL

      Make sure that you have WSOCK32.SKA file before deleting
      WSOCK32.DLL and ensure that you have renamed this file
      properly. You may have to close your Browser, Email software,
      etc. to delete and rename the DLL files."

   The above URL also provides more detailed information about
   the actual trojan horse (if you care about that kind of thing).

Christopher Lindsey
postmaster@ncsa.uiuc.edu

P.S.  The moral of the story is to never run attachments that someone
      sends you unless you trust that person implicitly AND they've
      told you that they're sending you an attachment in their message.
      If you're not sure, send them a message back asking if they meant
      to send you an attachment.

---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mallorn.com with the
message text UNSUBSCRIBE PROPAGATION

Follow-Ups:
- RE: Virus infected program - Happy99.exe\
  - From: "a*"

References:
- Virus infected program - Happy99.exe
  - From: D* M*

Prev by Date: Re: IMPORTANT EMAIL VIRUS -- was Re: Lemon Grass
Next by Date: RE: Virus infected program - Happy99.exe\
Prev by thread: Virus infected program - Happy99.exe
Next by thread: RE: Virus infected program - Happy99.exe\

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index