Hello Werner Hintze,
On Friday, December 03, 1999, 19:28:22 (GMT +07:00) you told us:
>> AFAIK Happy99.exe is a Trojan Virus (Hoax ?), which infected to
>> mailer with MAPI capable such Outlook97/98/2000, Outlook Express 4/5,
>> Exchange Client.
WH> I think, that's not true. I have here a short text which explains
WH> how happy99 works and how you can remove it from your PC. It's
WH> easy and it works...
WH> -------------------------
WH> Happy99.Worm
WH> VirusName: Happy99.Worm
WH> Aliases: Trojan.Happy99, I-Worm.Happy
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
it's confirm, Trojan Viruses.
WH> Likelihood: Common
WH> Region Reported: US, Europe
WH> Keys: Trojan Horse, Worm
WH> Description:
WH> This is a worm program, NOT a virus. This program has reportedly
^^^^^^^^^^^^^^^^^^^^^^^^^
See this.
[ ... ]
WH> When being executed, the program also opens a window entitled
WH> "Happy New Year 1999 !!" showing a firework display to disguise
WH> its other actions. The program copies itself as SKA.EXE and
WH> extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM
WH> directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM
WH> directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
same as Leif mentioned.
WH> WSOCK32.DLL handles internet-connectivity in Windows 95 and 98.
WH> The modification to WSOCK32.DLL allows the worm routine to be
WH> triggered when a connect or send activity is detected.
WH> When such online activity occurs, the modified code loads the
WH> worm's SKA.DLL. This SKA.DLL creates a new email or a new
WH> article with UUENCODED HAPPY99.EXE inserted into the email
WH> or article. It then sends this email or posts this article.
Means, Happy99 only active if the program using Winsock32.dll, right.
Outlook97/98 use this socket, that's why Outlook97/98 infected by this
viruses.
WH> If WSOCK32.DLL is in use when the worm tries to modify
WH> it (i.e. a user is online), the worm adds a registry entry:
WH> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
WH> =SKA.EXE
Aha, this is new info ! Thanks.
But, why the instruction below not mention about delete this registry
?
WH> The registry entry loads the worm the next time Windows start.
WH> Removing the worm manually:
WH> delete WINDOWS\SYSTEM\SKA.EXE
WH> delete WINDOWS\SYSTEM\SKA.DLL
WH> replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
Usually I was copy wsock32.dll from other PC which not infected with
Happy99.exe.
WH> delete the downloaded file, usually named HAPPY99.EXE
WH> ------------------------------------------
--
- syafril -
********************************************************************
Name : Syafril Hermansyah | Company : Duta Integrasi Pratama
Mailto : [EMAIL PROTECTED] | Voice : (62) (21) 385-1600
URL : www.dutaint.co.id | FAX : (62) (21) 351-9241
********************************************************************
I am using The Bat! 1.38 Beta/5 (reg) under
Windows NT Workstation 4.0 built 1381, Service Pack 6
Created : Friday, December 03, 1999, 20:14:12 (GMT + 07:00)
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------