[SI-LIST] : HAPPY99 virus DONOT click it...

Lynne Green (green@wolfenet.com)
Mon, 26 Apr 1999 06:55:30 -0700 (PDT)

> If you see happy99.exe or happy991.exe DONOT click on it.

Watch for this virus. I got mine as the body of a message. Some
get is as an attachment. Thankfully I use linux for email. <grin>

See forwarded message for more details.

- Lynne Green

-----FW: <37242F1E.33CFE227@quantic-emc.com>-----

Date: Mon, 26 Apr 1999 10:17:18 +0100
From: Mike Ventham <ventham@quantic-emc.com>
To: Kellee Crisafulli <kellee@hyperlynx.com>
Subject: Re: HAPPY99 virus DONOT click it...
Cc: ibis@vhdl.org

Following on from Kellee's message, I can confirm that the Happy99.exe is
infected with the W32/SKANEW virus. This is a new virus (so update
your virus scanning software).

Here is the Data from the Virus Alert Labs
http://www.avertlabs.com/public/datafiles/valerts/vinfo/w32ska.asp

W32/Ska (A.K.A. Happy99.exe)

W32/Ska is a worm that was first posted to several newsgroups
and has been reported to several of the AVERT Labs locations
worldwide. When this worm is run it displays a message
"Happy New Year 1999!!" and displays
"fireworks" graphics. The posting on the newsgroups has
lead to its propagation. It can also spread on its own, as it can
attached itself to a mail message and be sent unknowingly by a
user. Because of this attribute it is also considered to be a
worm.

AVERT cautions all users who may receive the attachment via
email to simply delete the mail and the attachment. The worm
infects a system via email delivery and arrives as an attachment
called Happy99.EXE. It is sent unknowingly by a user. When the
program is run it deploys its payload displaying fireworks on the
users monitor.

Note: At this time no destructive payload has been
discovered.

When the Happy.EXE is run it copies itself to Windows\System
folder under the name SKA.EXE. It then extracts, from within
itself, a DLL called SKA.DLL into the Windows\System folder if
one does not already exist.

Note: Though the SKA.EXE file file is a copy of the
original it does not run as the Happy.EXE files does, so it does
not copy itself again, nor does it display the fireworks on the
users monitor.

The worm then checks for the existence of WSOCK32.SKA in the
Windows\System folder, if it does not exist and a the file
WSOCK32.DLL does exist, it copies the WSOCK32.DLL to WSOCK32.SKA.

The worm then creates the registry entry -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="Sk
a.exe"

- which will execute SKA.EXE the next time the system is
restarted. When this happens the worm patches WSOCK32.DLL and
adds hooks to the exported functions EnumProtocolsW and
WSAAsyncGetProtocolByName.

The patched code calls two exported functions in SKA.DLL
called mail and news, these functions allow the
worm to attach itself to SMTP e-mail and also to any postings to
newsgroups the user makes.

Kellee Crisafulli wrote:
>
> Hi IBIS
>
> I just received the happy99 virus from the IBIS reflector....
>
> Watch out....
>
> If you see happy99.exe or happy991.exe DONOT click on it.
>
> Kellee

-- 
Regards

Mike ________________________________________________________________ | Mike Ventham - Vice-President Engineering, | | Quantic EMC Inc Headquarters | | Croft House, Chilcompton, 191 Lombard Ave, Winnipeg, | | Somerset, UK, BA3 4JA Manitoba, Canada R3B 0X1 | | Tel: 44 (0)1761 232191 Tel: (204) 942 4000 | | Fax: 44 (0)1761 233549 Fax: (204) 957 1158 | | Email: ventham@quantic-emc.com http://www.quantic-emc.com |

--------------End of forwarded message-------------------------

---------------------------------- E-Mail: Lynne Green <green@wolfenet.com> Date: 26-Apr-99 Time: 06:48:41

This message was sent by XFMail ----------------------------------

**** To unsubscribe from si-list: send e-mail to majordomo@silab.eng.sun.com. In the BODY of message put: UNSUBSCRIBE si-list, for more help, put HELP. si-list archives are accessible at http://www.qsl.net/wb6tpu/si-list ****