>I just received some kind of attached EXE-File from you. Please refrain
>from sending binary attachments to the mailing list in the future, since
>some people on this list have to pay for their connection time. Thank you
Do not execute Happy99.exe, it will infect your system with a WORM virus.
Make sure to delete the files ska.dll and ska.exe from your system (search
you all directory locations under your windows directory) otherwise you will
be infected the next time you re-boot (Windows and NT users only).
------
AVERT - A Division of NAI Labs
Virus Name: W32/Ska (a.k.a. Happy99.exe)
This page last updated 2/1/99
W32/Ska is a worm that was first posted to several newsgroups and has
been reported to several of the AVERT
Labs locations worldwide. When this worm is run it displays a message
"Happy New Year 1999!!" and displays
"fireworks" graphics. The posting on the newsgroups has lead to its
propagation. It can also spread on its own, as it
can attached itself to a mail message and be sent unknowingly by a user.
Because of this attribute it is also considered to be a worm.
AVERT cautions all users who may receive the attachment via email to
simply delete the mail and the attachment.
The worm infects a system via email delivery and arrives as an
attachment called Happy99.EXE. It is sent
unknowingly by a user. When the program is run it deploys its payload
displaying fireworks on the users monitor.
Note: At this time no destructive payload has been discovered.
When the Happy.EXE is run it copies itself to Windows\System folder
under the name SKA.EXE. It then extracts,
from within itself, a DLL called SKA.DLL into the Windows\System folder
if one does not already exist.
Note: Though the SKA.EXE file file is a copy of the original it does not
run as the Happy.EXE files does, so it does
not copy itself again, nor does it display the fireworks on the users
monitor.
The worm then checks for the existence of WSOCK32.SKA in the
Windows\System folder, if it does not exist and a
the file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to
WSOCK32.SKA.
The worm then creates the registry entry -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe
="Ska.exe"
- which will execute SKA.EXE the next time the system is restarted. When
this happens the worm patches
WSOCK32.DLL and adds hooks to the exported functions EnumProtocolsW and
WSAAsyncGetProtocolByName.
The patched code calls two exported functions in SKA.DLL called mail and
news, these functions allow the worm to
attach itself to SMTP e-mail and also to any postings to newsgroups the
user makes.
--
Visit the Eco-Blue Divers Homepage at
http://www.geocities.com/RainForest/Canopy/5449/index.html
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
To get out of this list, please send email to [EMAIL PROTECTED] with
this text in its body: unsubscribe suse-linux-e
Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
archiv at http://www.suse.com/Mailinglists/suse-linux-e/index.html
