Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

Not a Hoax !!

[Subject Prev][Subject Next][Thread Prev][Thread Next]
My computer wouldn't boot today.  After much lost time, I discovered that it
had been attacked by the Happy99.Worm program.   If you opened and viewed
the pretty fireworks animation, then you are infected!  This was attached to
a  recent post to the  SEAint Listserv.   Our corporate virus protection
system, LANDesk,  didn't catch it!  Here is more information,  courtesy of
Symantec.  It is worthwhile reading!
 
Stan Caldwell , P.E.  
Recovering in Dallas  
  _____  

 

                     Happy99.Worm  
 
                     VirusName:                    Happy99.Worm
                     Aliases:                          Trojan.Happy99,
I-Worm.Happy
                     Likelihood:                     Common
                     Region Reported:         US, Europe
                     Keys:                              Trojan Horse, Worm
 
 
 
                     Description: 
 
                     This is a worm program, NOT a virus. This program has
reportedly been received through email
                     spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the
                     email or article attachment.
 
                     When being executed, the program also opens a window
entitled "Happy New Year 1999 !!"
                     showing a firework display to disguise its other
actions. The program copies itself as SKA.EXE
                     and extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also
                     modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and
copies the original
                     WSOCK32.DLL into WSOCK32.SKA.
 
                     WSOCK32.DLL handles internet-connectivity in Windows 95
and 98. The modification to
                     WSOCK32.DLL allows the worm routine to be triggered
when a connect or send activity is
                     detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This
                     SKA.DLL creates a new email or a new article with
UUENCODED HAPPY99.EXE inserted into
                     the email or article. It then sends this email or posts
this article.
 
                     If WSOCK32.DLL is in use when the worm tries to modify
it (i.e. a user is online), the worm
                     adds a registry entry:
                       
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
 
                     The registry entry loads the worm the next time Windows
start.
 

                     Removing the worm manually:
 
                        1.delete WINDOWS\SYSTEM\SKA.EXE 
                        2.delete WINDOWS\SYSTEM\SKA.DLL 
                        3.replace WINDOWS\SYSTEM\WSOCK32.DLL with
                          WINDOWS\SYSTEM\WSOCK32.SKA 
                        4.delete the downloaded file, usually named
HAPPY99.EXE 
 

                     Safe Computing:
 
                     This worm and other trojan-horse type programs
demonstrate the need to practice safe
                     computing. One should not execute any executable-file
attachment (i.e. EXE, SHS, MS Word or
                     MS Excel file) that comes from an email or a newsgroup
article from an unknown or a untrusted
                     source.

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿý8b±é??\²Ç§¶Ú2¢ëâi+k¹Ën­©D?§yêìü,¡È?¶*'¡ô¨ºØ^®p??'è®x?ý!