Subject: HAPPY99 Worm Warning From: Steven J. Coker Date: February 08, 1999 NOTE: This warning is the exception to the rule. Do not follow this as and example and start sending virus warnings to the forum. This type of message is OFF TOPIC in the forum, unless posted by the Forum Manager. I've recently received several emails from various people containing an attached file named HAPPY99.EXE. Some of these were from Forum members. Some were addressed to the Forum, but they were blocked by our automatic screening program. The HAPPY99.EXE program is a WORM. See below for more information about what that means. If you receive a message with that file attached don't execute it - delete it immediately. _______________________ VirusName: Happy99.Worm Aliases: Trojan.Happy99, I-Worm.Happy Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article. If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE The registry entry loads the worm the next time Windows start. Removing the worm manually: 1. delete WINDOWS\SYSTEM\SKA.EXE 2. delete WINDOWS\SYSTEM\SKA.DLL 3. replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA 4. delete the downloaded file, usually named HAPPY99.EXE Safe Computing: This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (i.e. EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article From an unknown or a untrusted source. Norton AntiVirus users can protect themselves from this worm by downloading the virus definitions updates released on Jan 28, 1999 or later either through LiveUpdate or from the following webpage: http://www.symantec.com/avcenter/download.html Write-up by: Raul K. Elnitiarta - January 28, 1999 ___________________ For more information regarding viruses see the following sites. http://www.mcafee.com/ http://www.symantec.com/avcenter http://www.symantec.com/avcenter/venc/data/happy99.worm.html http://www.earthlink.net/daily/tuesday/macroviruses http://www.cyberramp.net/hoax.htm Unsolicited, unexplained attachments are unacceptable! "... you CAN get a virus by reading an attachment in an email message, such as an MS Word or Excel document, which is infected by a macro virus. You can also get a virus by running an executable program (such as *.exe , *.com or *.bat) someone e-mails you as an attachment." -- SOURCE: http://www.cyberramp.net/hoax.htm + *********************************************************************** + | Steven J. Coker [email protected] | | SCRoots Forum Manager [email protected] | | Coker Forum Manager [email protected] | | DuBose Forum Manager [email protected] | | Post Office Box 359 [email protected] | | Charleston, SC 29402 [email protected] | | ***************************** - NOTICE - ****************************** | | Unsolicited commercial messages, chain letters, pornography, and other | | junk email (i.e. SPAM) are not welcome. Do not send SPAM to me or the | | Forums listed above. Each SPAM email will be investigated, the incident | | will be reported, and the sender's access blocked. There will be | | a $100 handling fee charged for the processing of each SPAM message. | + *********************************************************************** + ==== SCROOTS Mailing List ==== Go To: #, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, Main |