ASR Publications

DAVID GRAY dbgray62 at HOME.COM
Thu May 6 16:07:50 UTC 1999


Indeed, do not open it!  Evidently it only infects windows computers,
not MACs.  The following is what Symantec's AVCenter has to say about
the virus:

Happy99.Worm
                                  VirusName:
                                              Happy99.Worm
                                     Aliases:
                                              Trojan.Happy99, I-Worm.Happy
                                  Likelihood:
                                              Common
                            Region Reported:
                                              World Wide
                              Characteristics:
                                              Trojan Horse, Worm



                            Description:

                            This is a worm program, NOT a virus. This
program has reportedly been received through email
                            spamming and USENET newsgroup posting. The
file is usually named HAPPY99.EXE in the
                            email or article attachment.

                            When being executed, the program also opens
a window entitled "Happy New Year 1999 !!"
                            showing a firework display to disguise its
other actions. The program copies itself as SKA.EXE
                            and extracts a DLL that it carries as
SKA.DLL into WINDOWS\SYSTEM directory. It also
                            modifies WSOCK32.DLL in WINDOWS\SYSTEM
directory and copies the original
                            WSOCK32.DLL into WSOCK32.SKA.

                            WSOCK32.DLL handles internet-connectivity in
Windows 95 and 98. The modification to
                            WSOCK32.DLL allows the worm routine to be
triggered when a connect or send activity is
                            detected. When such online activity occurs,
the modified code loads the worm's SKA.DLL. This
                            SKA.DLL creates a new email or a new article
with UUENCODED HAPPY99.EXE inserted into
                            the email or article. It then sends this
email or posts this article.

                            If WSOCK32.DLL is in use when the worm tries
to modify it (i.e. a user is online), the worm adds
                            a registry entry:
                               HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

                            The registry entry loads the worm the next
time Windows start.


                            Removing the worm manually:

                                1.delete WINDOWS\SYSTEM\SKA.EXE
                                2.delete WINDOWS\SYSTEM\SKA.DLL
                                3.in WINDOWS\SYSTEM\ directory, rename
WSOCK32.DLL to WSOCK32.BAK
                                4.in WINDOWS\SYSTEM\ directory, rename
WSOCK32.SKA to WSOCK32.DLL
                                5.delete the downloaded file, usually
named HAPPY99.EXE

                            Windows prevents you to do step #3 and #4
above if the machine is still connected to the Internet.
                            The file "windows\system\wsock32.dll" is
used whenever the machine is connected to Internet (i.e.
                            through dial-up or LAN connection).


                            If you are using dial-up connection (i.e.
America Online), you need to do the
                            following:

                                1.terminate internet connection
                                2.delete WINDOWS\SYSTEM\SKA.EXE
                                3.delete WINDOWS\SYSTEM\SKA.DLL
                                4.in WINDOWS\SYSTEM\ directory, rename
WSOCK32.DLL to WSOCK32.BAK
                                5.in WINDOWS\SYSTEM\ directory, rename
WSOCK32.SKA to WSOCK32.DLL
                                6.delete the downloaded file, usually
named HAPPY99.EXE


                            If you are connected to Internet through LAN
(i.e. in the office or cable modem),
                            you need to do the following:

                                1.From the Start menu, select
shutdown-restart in MS DOS mode
                                2.type CD \windows\system when DOS
prompt (C:\)appears
                                3.type RENAME WSOCK32.DLL WSOCK32.BAK
                                4.type RENAME WSOCK32.SKA WSOCK32.DLL
                                5.type DEL SKA.EXE
                                6.type DEL SKA.DLL



                            Safe Computing:

                                   This worm and other trojan-horse type
programs demonstrate the need to practice safe
                                   computing. One should not execute any
executable-file attachment (EXE, SHS, MS Word
                                   or MS Excel file) that comes from an
email or a newsgroup article from an untrusted
                                   source.

                            Norton AntiVirus users can protect
themselves from this virus by downloading the current virus
                            definitions either through LiveUpdate or
from the following webpage:

                            http://www.symantec.com/avcenter/download.html

                            Write-up by: Raul K. Elnitiarta
                            March 2, 1999



Ralph Bunker wrote:
>
> Make that I would NOT run it if I were you.
> At 06:39 AM 5/6/99 -0700, you wrote:
> >I received two messages with subject ASR Publications. The second one had
> >an attachment called HAPPY99.EXE. This is what my virus checker had to say
> >about it. I would run it if I were you.
> >
> >   Infected object c:\Eudora\Attach\HAPPY99.EXE.
> >   Happy99 trojan
> >   Cannot verify this virus.
> >





More information about the INDOLOGY mailing list