Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

Re: Not a Hoax !!

[Subject Prev][Subject Next][Thread Prev][Thread Next]
Norton version 5.0 caught "happy99.worm" for me.  There is another one out
there too that Norton doesn't seem to get.  It's called "PE_CIH".  The anti
virus scanner that gets that one can be found at
http://www.tucows.ix.net.nz/ .  That site also has a number of other
scanners worth looking at too.

Happy hunting

Thor Tandy  P.Eng  MCSCE
Victoria BC
Canada
vicpeng(--nospam--at)vtcg.com
-----Original Message-----
From: Caldwell, Stan <scaldwell(--nospam--at)halff.com>
To: 'SEAint Listserv' <seaint(--nospam--at)seaint.org>
Date: Friday, February 12, 1999 9:59 AM
Subject: Not a Hoax !!


My computer wouldn't boot today. After much lost time, I discovered that it
had been attacked by the Happy99.Worm program. If you opened and viewed
the pretty fireworks animation, then you are infected! This was attached to
a recent post to the SEAint Listserv. Our corporate virus protection
system, LANDesk, didn't catch it! Here is more information, courtesy of
Symantec. It is worthwhile reading!

Stan Caldwell , P.E.
Recovering in Dallas
_____



Happy99.Worm

VirusName: Happy99.Worm
Aliases: Trojan.Happy99,
I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Keys: Trojan Horse, Worm



Description:

This is a worm program, NOT a virus. This program has
reportedly been received through email
spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the
email or article attachment.

When being executed, the program also opens a window
entitled "Happy New Year 1999 !!"
showing a firework display to disguise its other
actions. The program copies itself as SKA.EXE
and extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also
modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and
copies the original
WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95
and 98. The modification to
WSOCK32.DLL allows the worm routine to be triggered
when a connect or send activity is
detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This
SKA.DLL creates a new email or a new article with
UUENCODED HAPPY99.EXE inserted into
the email or article. It then sends this email or posts
this article.

If WSOCK32.DLL is in use when the worm tries to modify
it (i.e. a user is online), the worm
adds a registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows
start.


Removing the worm manually:

1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.replace WINDOWS\SYSTEM\WSOCK32.DLL with
WINDOWS\SYSTEM\WSOCK32.SKA
4.delete the downloaded file, usually named
HAPPY99.EXE


Safe Computing:

This worm and other trojan-horse type programs
demonstrate the need to practice safe
computing. One should not execute any executable-file
attachment (i.e. EXE, SHS, MS Word or
MS Excel file) that comes from an email or a newsgroup
article from an unknown or a untrusted
source.

Nz?±¶ºJrj?z²?¢J?
~?±z²rzy¶?z?¶?y¶j?n¡z±·?±?ªzRn?z?¶?y¶j?n¡z±·?z?¢µ¢z¢z?¶jij¢zm?j¢?¶?²?¢??z¢w?
Ê¥?¢?­º?¯²j¶Ãy¶