[Author Index] [Date Index] [Thread Index]
[Date Prev][Date Next][Thread Prev][Thread Next]

Happy99 Worm / Virus Warning



Warning - Happy99 hit the list again.

Do NOT open any file labelled happ99.exe

If you do, you will be infected and you need to follow the instructions 
below. I have already emailed the sender and will delete it from the digest 
in a minute, so the only people affected should be those on immediate delivery.

Thanks

- - Eric

Description:
This is a worm program, NOT a virus. This program has
reportedly been received through email spamming and
USENET newsgroup posting. The file is usually named
HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window
entitled "Happy New Year 1999 !!" showing a firework
display to disguise its other actions. The program
copies itself as SKA.EXE and extracts a DLL that it
carries as SKA.DLL into WINDOWS\SYSTEM directory. It
also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory
and copies the original WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows
95 and 98. The modification to WSOCK32.DLL allows the
worm routine to be triggered when a connect or send
activity is detected. When such online activity
occurs, the modified code loads the worm's SKA.DLL.
This SKA.DLL creates a new email or a new article
with UUENCODED HAPPY99.EXE inserted into the email or
article. It then sends this email or posts this
article.
If WSOCK32.DLL is in use when the worm tries to
modify it (i.e. a user is online), the worm adds a
registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
ntVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time
Windows start.
Removing the worm manually:
1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.replace WINDOWS\SYSTEM\WSOCK32.DLL with
WINDOWS\SYSTEM\WSOCK32.SKA
4.delete the downloaded
file, usually named HAPPY99.EXE


 *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *   *
 The ST Mailing list is sponsored by the Unofficial ST Website
   http://www.TriumphNet.com/st for ST and Mailing List info

=-=-=-= Next Message =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=