Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

Re: Not a Hoax !!

[Subject Prev][Subject Next][Thread Prev][Thread Next]
I experienced a similar problem today. I viewed Happy99 email yesterday and
my computer wouldn't boot today. I have Norton Anti-virus Program. Thanks
for info.
Karim Hosseinzadeh, SE

> From: Caldwell, Stan <scaldwell(--nospam--at)>
> To: 'SEAint Listserv' <seaint(--nospam--at)>
> Subject: Not a Hoax !!
> Date: Friday, February 12, 1999 9:49 AM
> My computer wouldn't boot today.  After much lost time, I discovered that
> had been attacked by the Happy99.Worm program.   If you opened and viewed
> the pretty fireworks animation, then you are infected!  This was attached
> a  recent post to the  SEAint Listserv.   Our corporate virus protection
> system, LANDesk,  didn't catch it!  Here is more information,  courtesy
> Symantec.  It is worthwhile reading!
> Stan Caldwell , P.E.  
> Recovering in Dallas  
>   _____  
>                      Happy99.Worm  
>                      VirusName:                    Happy99.Worm
>                      Aliases:                          Trojan.Happy99,
> I-Worm.Happy
>                      Likelihood:                     Common
>                      Region Reported:         US, Europe
>                      Keys:                              Trojan Horse,
>                      Description: 
>                      This is a worm program, NOT a virus. This program
> reportedly been received through email
>                      spamming and USENET newsgroup posting. The file is
> usually named HAPPY99.EXE in the
>                      email or article attachment.
>                      When being executed, the program also opens a window
> entitled "Happy New Year 1999 !!"
>                      showing a firework display to disguise its other
> actions. The program copies itself as SKA.EXE
>                      and extracts a DLL that it carries as SKA.DLL into
> WINDOWS\SYSTEM directory. It also
>                      modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and
> copies the original
>                      WSOCK32.DLL into WSOCK32.SKA.
>                      WSOCK32.DLL handles internet-connectivity in Windows
> and 98. The modification to
>                      WSOCK32.DLL allows the worm routine to be triggered
> when a connect or send activity is
>                      detected. When such online activity occurs, the
> modified code loads the worm's SKA.DLL. This
>                      SKA.DLL creates a new email or a new article with
> UUENCODED HAPPY99.EXE inserted into
>                      the email or article. It then sends this email or
> this article.
>                      If WSOCK32.DLL is in use when the worm tries to
> it (i.e. a user is online), the worm
>                      adds a registry entry:

>                      The registry entry loads the worm the next time
> start.
>                      Removing the worm manually:
>                         1.delete WINDOWS\SYSTEM\SKA.EXE 
>                         2.delete WINDOWS\SYSTEM\SKA.DLL 
>                         3.replace WINDOWS\SYSTEM\WSOCK32.DLL with
>                           WINDOWS\SYSTEM\WSOCK32.SKA 
>                         4.delete the downloaded file, usually named
>                      Safe Computing:
>                      This worm and other trojan-horse type programs
> demonstrate the need to practice safe
>                      computing. One should not execute any
> attachment (i.e. EXE, SHS, MS Word or
>                      MS Excel file) that comes from an email or a
> article from an unknown or a untrusted
>                      source.
> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿý8b±é??\²Ç§¶Ú2¢ëâi+k¹Ën­©D?§yêìü