Happy99 worm

Doug Henwood dhenwood at panix.com
Sat Feb 20 14:44:31 PST 1999

Previous message: Slavery gets headlines
Next message: Iraq sanctions
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Search LBO-Talk Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort

from the Symantec website, thanks to Lou Proyect:

>Happy99.Worm
>
>Description: This is a worm program, NOT a virus. This program has
>reportedly been received through email spamming and USENET newsgroup
>posting. The file is usually named HAPPY99.EXE in the email or article
>attachment.
>
>When being executed, the program also opens a window entitled "Happy New
>Year 1999 !!" showing a firework display to disguise its other actions. The
>program copies itself as SKA.EXE and extracts a DLL that it carries as
>SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
>WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
>
>WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
>modification to WSOCK32.DLL allows the worm routine to be triggered when a
>connect or send activity is detected. When such online activity occurs, the
>modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
>a new article with UUENCODED HAPPY99.EXE inserted into the email or
>article. It then sends this email or posts this article.
>
>If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
>online), the worm adds a registry entry:
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
>
>The registry entry loads the worm the next time Windows start.
>
>Removing the worm manually:
>
>1.delete WINDOWS\SYSTEM\SKA.EXE
>2.delete WINDOWS\SYSTEM\SKA.DLL
>3.replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
>4.delete the downloaded file, usually named HAPPY99.EXE
>
>Safe Computing:
>
>This worm and other trojan-horse type programs demonstrate the need to
>practice safe computing. One should not execute any executable-file
>attachment (i.e. EXE, SHS, MS Word or MS Excel file) that comes from an
>email or a newsgroup article from an unknown or a untrusted source.
>
>Norton AntiVirus users can protect themselves from this worm by downloading
>the virus definitions updates released on Jan 28, 1999 or later either
>through LiveUpdate or from the following webpage:
>http://www.symantec.com/avcenter/download.html
>
>Write-up by: Raul K. Elnitiarta January 28, 1999

Previous message: Slavery gets headlines
Next message: Iraq sanctions
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the lbo-talk mailing list