Warning and appoligies
I take Virus' very serious. Well I was hit by a post off this group.
The program that hit me is not considered dangerous but can cause E-mail
problems. If you got an E-mail from me or any one with subject "HAPPY1999"
and with a file attached called "HAPPY99.EXE". Delete it. Details are
below. If you have already run the program do a find on "ska.exe or
ska.dll". If any of these files are found delete them. Make sure you have
the latest in protection. I recommend very highly McAfee AntiVirus. Here
is a link to a web page that describes more detail about the virus. The
latest of McAfee will detect and clean the virus.
http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.htm
What the E-mail does is everytime you go into E-mail or News groups
connected to the internet it will try to replecate new E-mails with the
"HAPPY99.EXE" file. It is not supposed to hurt any thing but just causes
an E-mail change throughout the internet. It also appears that the file
will only work when you execute the file while online.
Happy99.Worm
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Keys: Trojan Horse, Worm
Description:
This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file
is usually named HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy
New Year 1999 !!" showing a firework display to disguise its other
actions. The program copies itself as SKA.EXE and extracts a DLL that
it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original
WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered
when a connect or send activity is detected. When such online activity
occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL
creates a new email or a new article with UUENCODED HAPPY99.EXE
inserted into the email or article. It then sends this email or posts
this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user
is online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA
.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx=S
KA.EXE
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
delete the downloaded file, usually named HAPPY99.EXE
|