Klarinet Archive - Posting 000662.txt from 1999/04

From: Dave Sandusky <daves@-----.com>
Subj: Re: [kl] Re:New Virus
Date: Wed, 14 Apr 1999 14:09:29 -0400

Some info from the Symantec web site:

This is a worm program, NOT a virus. This program has reportedly been
received through email
spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the email or
article attachment.

When being executed, the program also opens a window
entitled "Happy New Year 1999 !!"
showing a firework display to disguise its other
actions. The program copies itself as SKA.EXE and
extracts a DLL that it carries as SKA.DLL into
WINDOWSSYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWSSYSTEM directory and copies the
original WSOCK32.DLL into
WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95
and 98. The modification to
WSOCK32.DLL allows the worm routine to be triggered when
a connect or send activity is
detected. When such online activity occurs, the modified
code loads the worm's SKA.DLL. This
SKA.DLL creates a new email or a new article with
UUENCODED HAPPY99.EXE inserted into
the email or article. It then sends this email or posts
this article.

If WSOCK32.DLL is in use when the worm tries to modify
it (i.e. a user is online), the worm adds a
registry entry:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce@-----.EXE

The registry entry loads the worm the next time Windows
start.

Removing the worm manually:

1.delete WINDOWSSYSTEMSKA.EXE
2.delete WINDOWSSYSTEMSKA.DLL
3.in WINDOWSSYSTEM directory, rename WSOCK32.DLL to
WSOCK32.BAK
4.in WINDOWSSYSTEM directory, rename WSOCK32.SKA to
WSOCK32.DLL
5.delete the downloaded file, usually named
HAPPY99.EXE

Windows prevents you to do step #3 and #4 above if the
machine is still connected to the Internet.
The file "windowssystemwsock32.dll" is used whenever
the machine is connected to Internet (i.e.
through dial-up or LAN connection).

If you are using dial-up connection (i.e. America
Online), you need to do the following:

1.terminate internet connection
2.delete WINDOWSSYSTEMSKA.EXE
3.delete WINDOWSSYSTEMSKA.DLL
4.in WINDOWSSYSTEM directory, rename WSOCK32.DLL to
WSOCK32.BAK
5.in WINDOWSSYSTEM directory, rename WSOCK32.SKA to
WSOCK32.DLL
6.delete the downloaded file, usually named
HAPPY99.EXE

If you are connected to Internet through LAN (i.e. in
the office or cable modem), you need
to do the following:

1.From the Start menu, select shutdown-restart in MS
DOS mode
2.type CD windowssystem when DOS prompt (C:)appears

3.type RENAME WSOCK32.DLL WSOCK32.BAK
4.type RENAME WSOCK32.SKA WSOCK32.DLL
5.type DEL SKA.EXE
6.type DEL SKA.DLL

Safe Computing:

This worm and other trojan-horse type programs
demonstrate the need to practice safe
computing. One should not execute any
executable-file attachment (EXE, SHS, MS Word or
MS Excel file) that comes from an email or a
newsgroup article from an untrusted source.

Norton AntiVirus users can protect themselves from this
virus by downloading the current virus
definitions either through LiveUpdate or from the
following webpage:

http://www.symantec.com/avcenter/download.html

Gary Truesdail wrote:

> Watch out for a new virus that is being sent to mail rings. It is
> called Happy99
>
> Dont download or double click on anything with Happy99.
>
> -------------------------------------------------------------------------
> Unsubscribe from Klarinet, e-mail: klarinet-unsubscribe@-----.org
> Subscribe to the Digest: klarinet-digest-subscribe@-----.org
> Additional commands: klarinet-help@-----.org
> Other problems: klarinet-owner@-----.org

-------------------------------------------------------------------------
Unsubscribe from Klarinet, e-mail: klarinet-unsubscribe@-----.org
Subscribe to the Digest: klarinet-digest-subscribe@-----.org
Additional commands: klarinet-help@-----.org
Other problems: klarinet-owner@-----.org

   
     Copyright © Woodwind.Org, Inc. All Rights Reserved    Privacy Policy    Contact charette@woodwind.org