Need a book? Engineering books recommendations...
Re: Not a Hoax !![Subject Prev][Subject Next][Thread Prev][Thread Next]
- To: <seaint(--nospam--at)seaint.org>
- Subject: Re: Not a Hoax !!
- From: "vicpeng" <vicpeng(--nospam--at)vtcg.com>
- Date: Fri, 12 Feb 1999 20:36:14 -0800
Norton version 5.0 caught "happy99.worm" for me. There is another one out there too that Norton doesn't seem to get. It's called "PE_CIH". The anti virus scanner that gets that one can be found at http://www.tucows.ix.net.nz/ . That site also has a number of other scanners worth looking at too. Happy hunting Thor Tandy P.Eng MCSCE Victoria BC Canada vicpeng(--nospam--at)vtcg.com -----Original Message----- From: Caldwell, Stan <scaldwell(--nospam--at)halff.com> To: 'SEAint Listserv' <seaint(--nospam--at)seaint.org> Date: Friday, February 12, 1999 9:59 AM Subject: Not a Hoax !! My computer wouldn't boot today. After much lost time, I discovered that it had been attacked by the Happy99.Worm program. If you opened and viewed the pretty fireworks animation, then you are infected! This was attached to a recent post to the SEAint Listserv. Our corporate virus protection system, LANDesk, didn't catch it! Here is more information, courtesy of Symantec. It is worthwhile reading! Stan Caldwell , P.E. Recovering in Dallas _____ Happy99.Worm VirusName: Happy99.Worm Aliases: Trojan.Happy99, I-Worm.Happy Likelihood: Common Region Reported: US, Europe Keys: Trojan Horse, Worm Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article. If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE The registry entry loads the worm the next time Windows start. Removing the worm manually: 1.delete WINDOWS\SYSTEM\SKA.EXE 2.delete WINDOWS\SYSTEM\SKA.DLL 3.replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA 4.delete the downloaded file, usually named HAPPY99.EXE Safe Computing: This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (i.e. EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article from an unknown or a untrusted source. Nz?±¶ºJrj?z²?¢J? ~?±z²rzy¶?z?¶?y¶j?n¡z±·?±?ªzRn?z?¶?y¶j?n¡z±·?z?¢µ¢z¢z?¶jij¢zm?j¢?¶?²?¢??z¢w? Ê¥?¢?º?¯²j¶Ãy¶
- Prev by Subject: RE: Not a Hoax !!
- Next by Subject: Re: Not a Hoax !!
- Previous by thread: RE: Not a Hoax !!
- Next by thread: Re: Not a Hoax !!