Beware Happy99.exe worm!!!

Dennis Paull Wed, 3 Mar 1999 04:49:55 -0500
---------------
Hi all,

I have received a message addressed to this list with an encoded file
labeled Happy99.exe. Please do not attempt to execute this file.

I have been informed of a new email virus-like program (worm)that you 
should be aware of. The following description was taken off the McAfee 
web site which is very credible. Please read on.

..................... dennis

[FROM www.mcafee.com]

W32/Ska is a worm that was first posted to several newsgroups and has been 
reported to several of the AVERT Labs locations worldwide. When this worm 
is run it displays a message "Happy New Year 1999!!" and displays 
"fireworks" graphics. The posting on the newsgroups has lead to its 
propagation. It can also spread on its own, as it can attached itself to a 
mail message and be sent unknowingly by a user. Because of this attribute 
it is also considered to be a worm. 

AVERT cautions all users who may receive the attachment via email to 
simply delete the mail and the attachment. The worm infects a system via 
email delivery and arrives as an attachment called Happy99.EXE. It is sent 
unknowingly by a user. When the program is run it deploys its payload 
displaying fireworks on the users monitor. 

Note: At this time no destructive payload has been discovered.

When the Happy.EXE is run it copies itself to Windows\System folder under 
the name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL 
into the Windows\System folder if one does not already exist. 

Note: Though the SKA.EXE file file is a copy of the original it does not run 
as the Happy.EXE files does, so it does not copy itself again, nor does it 
display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the Windows\System 
folder, if it does not exist and a the file WSOCK32.DLL does exist, it copies 
the WSOCK32.DLL to WSOCK32.SKA.

The worm then creates the registry entry -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="Ska.exe" 

- which will execute SKA.EXE the next time the system is restarted. When 
this happens the worm patches WSOCK32.DLL and adds hooks to the exported 
functions EnumProtocolsW and WSAAsyncGetProtocolByName. 

The patched code calls two exported functions in SKA.DLL called mail and news, 
these functions allow the worm to attach itself to SMTP e-mail and also to 
any postings to newsgroups the user makes.


****************************
Beware Happy99.exe worm!!!

Reply via email to
