Re: ADMINISTRATIVE: WARNING!!!
Michael Bowman (mfbowman@USSCOUTS.ORG)
Sat, 27 Feb 1999 00:28:56 -0500
If any of you have opened the happy99.exe file that was attached to a
posting to Scouts-L, you may want to read the following information.
References to anti-virus websites are included along with instructions for
removal of the worm program.
Forwarded Message:
Yet another new virus is making its way through the Internet and may
find its way to your Inbox... Symantec (Norton) calls is "HAPPY99.EXE"
Network Associates (McAfee) "Win32/SKA", .
WHAT'S AFFECTED: Win 95/98
"HAPPY99.EXE" is a worm. Discovered in newsgroups in January 1999,
its main claim to fame is its ability to attach itself covertly to
outbound e-mail as an attachment, by using a modified DLL file.
NOTE: YOU CANNOT BECOME INFECTED BY JUST READING A NEWSGROUP MAIL ITEM,
YOU MUST EXECUTE THE ATTACHMENT TO INFECT YOUR SYSTEM!!
TECHY SECTION (short version):
Upon initiate infection, the virus will display the message "Happy New
Year 1999" and show a fireworks animation. The infection process then
involves adding 2 files to the \windows\system folder, substituting a
windows DLL with its own (but saving the original), and creating a
Registry entry.
Once the workstation infection is completed, a copy of HAPPY99.EXE
is appended covertly to all outbound newsgroup/e-mail messages.
WHAT DETECTS IT:
> McAfee VirusScan: See reference for special DAT file update
> Norton Antivirus: Use sig files dated 28 Jan 99 or later
MANUAL REMOVAL PROCEDURE
1. Determine addressees that may have been sent HAPPY99.EXE
in outbound e-mail:
Start NOTEPAD.EXE and open LISTE.SKA (c:\windows\system folder)
This file will contain the e-mail address of everyone sent a copy
of the virus. (GOOD IDEA TO WARN THEM!!)
2. Start REGEDIT and remove entry if present:
- Click "Start", "Run" type "REGEDIT"
- Navigate to following key;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrnetVersion\RunOnce
- Delete entry for SKA.EXE
3. Place workstation in MS-DOS mode:
Click "Start", "Shutdown",
select "Restart the computer in MS-DOS mode"
4. Change to the \WINDOWS\SYSTEM folder:
CD \WINDOWS\SYSTEM
5. Delete these files:
SKA.EXE SKA.DLL WSOCK32.DLL
6. Rename WSOCK32.SKA:
ren wsock32.ska WSOCK32.DLL
7. Return to Windows mode:
Type "EXIT", depress key
E-MAIL USE GUIDELINES:
1. Never open/execute EXE or COM-type attachments if you don't know the
sender! Avoid grief..delete the message. (Who ya gonna upset?)
2. Never open/execute EXE or COM-type attachments if you KNOW the sender
but WASN'T expecting the file. Call/or e-mail it back if no
explanation is given. (How much do YOU trust that person...?)
3. If you're anti-virus software doesn't automatically scan attachments,
save them to your hard drive first, then scan them.
REFERENCE:
> Symantec:
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
> Network Associates:
http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.htm
> Datafellows
http://www.datafellows.com/v-descs/ska.htm
Mike
