worm fix from moderator was - Re: Network Problems

Werner Hintze Fri, 3 Dec 1999 04:32:14 -0800
On Friday, December 03, 1999, 12:47:19 PM Syafril Hermansyah ([EMAIL PROTECTED]) 
wrote:


> AFAIK   Happy99.exe   is  a  Trojan  Virus (Hoax ?), which infected to
> mailer  with MAPI capable such Outlook97/98/2000, Outlook Express 4/5,
> Exchange  Client.

I think, that's not true. I have here a short text which explains how
happy99 works and how you can remove it from your PC. It's easy and it
works...

-------------------------
Happy99.Worm
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Keys: Trojan Horse, Worm

Description:
This is a worm program, NOT a virus. This program has reportedly
been received through email spamming and USENET newsgroup
posting. The file is usually named HAPPY99.EXE in the email
or article attachment.

When being executed, the program also opens a window entitled
"Happy New Year 1999 !!" showing a firework display to disguise
its other actions. The program copies itself as SKA.EXE and
extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM
directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM
directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98.
The modification to WSOCK32.DLL allows the worm routine to be
triggered when a connect or send activity is detected.
When such online activity occurs, the modified code loads the
worm's SKA.DLL. This SKA.DLL creates a new email or a new
article with UUENCODED HAPPY99.EXE inserted into the email
or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify
it (i.e. a user is online), the worm adds a registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
=SKA.EXE

The registry entry loads the worm the next time Windows start.

Removing the worm manually:

delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
delete the downloaded file, usually named HAPPY99.EXE
------------------------------------------

Werner Hintze
-- 
[EMAIL PROTECTED]

-- 
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   <mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
   <mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
Re[2]: Happy99/SKA virus/worm fix from moderator was - Re: Network Problems

Reply via email to
