-Caveat Lector- Subject: File attachment Importance: High I noticed that one of yesterday's emails had the Happy99.exe attachment. This is not a virus but a Trojan that will sent this email out to everyone you email and keeps on going. See below from the Stiller Research home page. You may want to post a warning not to execute. c/ The "Happy99" Virus? No, Happy99 is not a virus, but it's not a hoax either. It's technically a trojan with some worm characteristics. (It is NOT a virus and it doesn't infect files or boot sectors as a virus will). Happy99: a net trojan and worm We're considering Happy99 (AKA Win32/SKA) to be a worm because once you execute the trojan, it will install itself on your PC and then send file "HAPPY99.EXE" as an attachment with your email. The danger is that this file will be sent to people who know you (and possibly trust you!) and will be more likely to execute the file than if it came from a stranger. The fact that people receive HAPPY99 from someone that they know has caused this program to much more common than most trojans. Note, the only way you can be attacked by this trojan (as is true with other trojans) is if you download (or copy) execute the trojan .EXE file. (It is not a virus and can't spread like a virus.) NewsGroup Postings! The Happy99 Trojan has been posted to internet Newsgroups a large number of times. It is most common in newsgroups where Mime and UU encoded files are commonly posted. Effects of Happy99 When you run the "HAPPY99.EXE" file, it will display a fireworks display and at the same time install itself on your PC by creating a files SKA.DLL and SKA.EXE (a copy of the downloaded HAPPY99.EXE files). It also patches WSOCK32.DLL and modifies the registry field "Software\Microsoft\Windows\CurrentVersion\RunOnce" to execute SKA.EXE at startup. There is apparently no deliberately destructive code in the trojan (beyond wasting internet bandwidth) but we have reports of many PC crashes and hangs. Removal? If you are using Integrity Master, you can see what this (or any other trojan) has done to your PC and delete or restore the appropriate files. If you have made the mistake of executing "HAPPY99.EXE", you can remove it with just a few steps. (As always make sure you have good backups!) The first step (using REGEDIT) is optional: Use REGEDIT (backup your registry first) to remove the "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry field that executes "SKA.EXE". (The remaining steps are not optional) Next delete the files mentioned above (SKA.EXE and SKA.DLL in your Windows System folder/directory). You will need to restore the modified WSOCK32.DLL. You can do this from a backup (best) or look in the system directory for file WSOCK32.SKA (this should be your original WSOCK32.DLL) which you can rename or copy over the WSOCK32.DLL file. Note, these instructions assume you are familiar with the technical details of your PC (such as editing the registry). If you are not sure, get someone that is more experienced to assist you. Please perform the above procedure at your own risk. We make no warranty that they will work in all cases; different variants of this trojan may exist. PROTECTION? As we have mentioned in our article on Are Trojans a real threat to your PC?, virus scanning is not a good way to protect yourself against trojans. Also simply avoiding files with a particular name is not enough. Never accept any programs unless you are familiar with the author or vendor that produced the program (even if you know the user that sent you the file). WARNING There is a warning being circulated via email about "HAPPY99.EXE", with a request to "Forward On to others". Please do not forward any warning that contains a request to forward to others. Feel free to warn your friends but please do not send them a warning that says to forward further! DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance�not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
