Looper's Delight Archive Top (Search)
Date Index
Thread Index
Author Index
Looper's Delight Home
Mailing List Info

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Date Index][Thread Index][Author Index]

Happy99.exe VIRUS



Ok folks- I hate those chain mails about some bullshit virus alert but
this is for REAL-

I got an e-mail with an attachment that was named "Happy99.exe"- when
you open it you see a fireworks display- well, someone wrote me right
after (on a mailing list) and said it was a virus so I searched the
internet and found out is a real virus! The following link will tell you
about it-
http://www.datafellows.fi/v-descs/ska.htm

Do not restart your computer until you have removed all the virus files
if you received Happy99.exe in an e-mail and opened it and saw the
fireworks display!
If you have the file but have not opened it just delete it.

Most of the virus files are in C:\Windows\System
There is also a key in the directory that needs to be removed.
If you have Win 98 you can re-install your Winsock32.dll file which is
modified by the virus.

Contact me if you need any help-
I hope you are all well-

Clifford

If you have any questions or need help you can call me-

Here is the info on the virus:
--------------------------------------------------------------------------------------

NAME:
                          Win32/Ska.A
                   ALIAS:
                          Happy99, WSOCK32.SKA,
                          SKA.EXE, I-Worm.Happy,
                          PE_SKA
                   SIZE:
                          10000

                  Win32/Ska.A is a Win32-based e-mail and
                  newsgroup worm. It displays fireworks when
                  executed first time as Happy99.exe. (Normally this
                  file arrives as an e-mail attachment to a particular
                  PC, or it is downloaded from a newsgroup.)

                  When executed first time, it creates SKA.EXE and
                  SKA.DLL in the system directory. SKA.EXE is a
                  copy of HAPPY99.EXE. SKA.DLL is packed inside
                  SKA.EXE. After this Ska creates a copy of
                  WSOCK32.DLL as WSOCK32.SKA in the system
                  directory. Then it tries to patch WSOCK32.DLL so
                  that its export entries for two functions will point
to
                  new routines (to the worm's own functions) inside
                  the patched WSOCK32.DLL. If WSOCK32.DLL is
                  in use, Ska.A modifies the registry's RunOnce
                  entry to execute SKA.EXE during next boot-up.
                  (When executed as SKA.EXE it does not display
                  the firework, just tries to patch WSCOK32.DLL
                  until it is not used.)

                  "Connect" and "Send" exports are patched in
                  WSOCK32.DLL. Thus the worm is able to see if
                  the local user has any activity on network. When
                  "Connect" or "Send" APIs are called, Ska loads its
                  SKA.DLL containing two exports: "news" and
                  "mail".

                  Then it spams itself to the same newsgroups or
                  same e-mail addresses where the user was
                  posting or mailing to. It maps SKA.EXE to memory
                  and converts it to uuencoded format and mails an
                  additional e-mail or newsgroup post with the same
                  header information as the original message but
                  containing no text but just an attachment called
                  Happy99.exe.

                  Therefore Happy99 is not limited like the
                  Win32/Parvo virus which is unable to use a
                  particular news server when the user does not
                  have access to it. The worm also maintains a list
                  of addresses it has posted a copy of itself. This is
                  stored in a file called LISTE.SKA. (The number of
                  entries are limited in this file.)

                  The worm contains the following encrytped text
                  which is not displayed:

                          Is it a virus, a worm, a trojan?
                          MOUT-MOUT Hybrid (c) Spanska 1999.

                  The mail header of the manipulated mails will
                  contain a new field called "X-Spanska: YES".
                  Normally this header field is not visible to
                  receivers of the message.

                  Since the worm does not check WSOCK32.DLL's
                  attribute, it can not patch it if it is set to read
only.