Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

RE: Not a Hoax !!

[Subject Prev][Subject Next][Thread Prev][Thread Next]
Thanks Stan.  I think I was wormed too.  I guess we need to be more careful.
My organization was supposed to upgrade our virus software this week but it
was delayed.  Also I was not clear on the 3rd step replacing wsock32.dll
with wsock32.ska.
Bruce C. Trobridge
Assistant Building Structural Engineer
NYS - Office of General Services

> ----------
> From: 	Caldwell, Stan[SMTP:scaldwell(--nospam--at)halff.com]
> Sent: 	Friday, February 12, 1999 12:49 PM
> To: 	'SEAint Listserv'
> Subject: 	Not a Hoax !!
> 
> My computer wouldn't boot today.  After much lost time, I discovered that
> it
> had been attacked by the Happy99.Worm program.   If you opened and viewed
> the pretty fireworks animation, then you are infected!  This was attached
> to
> a  recent post to the  SEAint Listserv.   Our corporate virus protection
> system, LANDesk,  didn't catch it!  Here is more information,  courtesy of
> Symantec.  It is worthwhile reading!
>  
> Stan Caldwell , P.E.  
> Recovering in Dallas  
>   _____  
> 
>  
> 
>                      Happy99.Worm  
>  
>                      VirusName:                    Happy99.Worm
>                      Aliases:                          Trojan.Happy99,
> I-Worm.Happy
>                      Likelihood:                     Common
>                      Region Reported:         US, Europe
>                      Keys:                              Trojan Horse, Worm
>  
>  
>  
>                      Description: 
>  
>                      This is a worm program, NOT a virus. This program has
> reportedly been received through email
>                      spamming and USENET newsgroup posting. The file is
> usually named HAPPY99.EXE in the
>                      email or article attachment.
>  
>                      When being executed, the program also opens a window
> entitled "Happy New Year 1999 !!"
>                      showing a firework display to disguise its other
> actions. The program copies itself as SKA.EXE
>                      and extracts a DLL that it carries as SKA.DLL into
> WINDOWS\SYSTEM directory. It also
>                      modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and
> copies the original
>                      WSOCK32.DLL into WSOCK32.SKA.
>  
>                      WSOCK32.DLL handles internet-connectivity in Windows
> 95
> and 98. The modification to
>                      WSOCK32.DLL allows the worm routine to be triggered
> when a connect or send activity is
>                      detected. When such online activity occurs, the
> modified code loads the worm's SKA.DLL. This
>                      SKA.DLL creates a new email or a new article with
> UUENCODED HAPPY99.EXE inserted into
>                      the email or article. It then sends this email or
> posts
> this article.
>  
>                      If WSOCK32.DLL is in use when the worm tries to
> modify
> it (i.e. a user is online), the worm
>                      adds a registry entry:
>                        
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.E
> XE
>  
>                      The registry entry loads the worm the next time
> Windows
> start.
>  
> 
>                      Removing the worm manually:
>  
>                         1.delete WINDOWS\SYSTEM\SKA.EXE 
>                         2.delete WINDOWS\SYSTEM\SKA.DLL 
>                         3.replace WINDOWS\SYSTEM\WSOCK32.DLL with
>                           WINDOWS\SYSTEM\WSOCK32.SKA 
>                         4.delete the downloaded file, usually named
> HAPPY99.EXE 
>  
> 
>                      Safe Computing:
>  
>                      This worm and other trojan-horse type programs
> demonstrate the need to practice safe
>                      computing. One should not execute any executable-file
> attachment (i.e. EXE, SHS, MS Word or
>                      MS Excel file) that comes from an email or a
> newsgroup
> article from an unknown or a untrusted
>                      source.
> 
> N¬zf¢-¬±éí¶?¨ºø?JÚîrÛ«jQ'?)Þz»²Ê?«b¢zJ?­?êç
> ©b~?ç?¤?ä?±êïz´è²æìr¸?zzyëh¶¥?Ëlzw^?¨¥¶???)ìy¨§¶?àjwb?Ø^n?r¡ûazg¬±¨·*^?
> ?§±æ¢?Ùèªê-zÄèR{.nÇ+?·¬zw^?¨¥¶???)ìy¨§¶?àjwb?Ø^n?r¡ûazg¬±¨·*^*æ¯zÇ??{g¢«¨
> µë¢º®zËb¢{,zw^?¨¥¶?j)íiÛj)í¢¸zg¦mêÚ?'¦j)r¢ë?Ûh¶¥?Ëb²??-'¢f¢?©Ý?¬?z·
> ©¢Ë^w­??­Ê?«¥êæ?Ë"¢s'ë.­ì¨ºø¬?Ú.¯?²+^jØm¶?ÿÃ,y¨§¶?à
>