On Wed, 3 Mar 1999, trias adi jaya wrote:
Ini ada sedikit informasi dan solusi mengatasi virus happy99.exe
Information
This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. You cannot get infected with
this virus just by reading a newsgroup or e-mail message. If you execute
an infected attachment, it will display a firework
display which looks like this:
It will create two files in the Windows System folder, SKA.EXE and
SKA.DLL. SKA.EXE will be a copy of
HAPPY99.EXE. It will make a backup of WSOCK32.DLL under the name of
WSOCK32.SKA. WSOCK32.DLL is a
regular part of Windows that provides a connnection to the Internet. If
it is unable to modify WSOCK32.DLL, then it will add
SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL will be
modified next time the computer starts. The
modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of
outgoing newsgroup and e-mail messages. This
virus will keep a list of message recipients in the file LISTE.SKA in
the Windows System folder.
In my tests(sending an e-mail to myself:) this virus attached itself to
a second copy of the e-mail message, with no problems
and a barely noticeable delay. The outgoing message contains the header
X-Spanska: Yes
but this is normally not visible.
This virus does not steal passwords, as some sources have reported. It
does not contain any payload other than the fireworks
display. However, it could overload an e-mail server if a lot of copies
get passed around. Also, since it gets passed along a
lot, a different virus could attach to HAPPY99.EXE somewhere along the
way. This virus does not affect Macs, DOS, or
Windows 3.x.
Some people have asked whether it is always called HAPPY99.EXE. This
virus doesn't contain any code to change the
name. However, it would be simple for a person to change it to anything
they like.
It contains the encrypted text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Is it a virus, a worm, or a trojan? (Technical Discussion)
Removal
Steps marked optional are not absolutely necessary and are completely
safe to skip.
1.Click Start, then Shut Down, then "Restart Computer in MS-DOS
mode", then click Yes.
2.At the DOS prompt type this exactly and press enter at the end of
each line:
CD \WINDOWS\SYSTEM
If your Windows folder is not called WINDOWS then substitute the
name of your Windows folder instead, for
example:
CD \WIN95\SYSTEM
3.Delete SKA.EXE and SKA.DLL by typing
DEL SKA.EXE
DEL SKA.DLL
If you get "File not found" you're either not infected or in the
wrong directory. Make sure you're in your Windows
System directory; check to see if you followed step 2 exactly.
4.Copy WSOCK32.SKA to WSOCK32.DLL by typing
COPY WSOCK32.SKA WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
Explanation: WSOCK32.SKA is a backup of the
original WSOCK32.DLL made by the virus. You are replacing the
modified DLL with the original.
5.Optional Delete WSOCK32.SKA by typing
DEL WSOCK32.SKA
You can leave WSOCK32.SKA on your system. It is a copy of your
original WSOCK32.DLL
6.Return to Windows by typing
EXIT
7.Optional Click Start, then Run, then type regedit in the text box,
then click OK. Click HKEY_LOCAL_MACHINE,
then Software, then Microsoft, then Windows, then CurrentVersion.
Under RunOnce check for SKA.EXE and select
it if it is there. Press delete and then click Yes. Close Regedit.
Don't change anything else without making a backup of
the registry first. If you don't find SKA.EXE in the registry, it
doesn't mean you're not infected. SKA.EXE is only
added to the registry if HAPPY99.EXE is unable to modify
WSOCK32.DLL when you run it.
8.Optional Choose Start, Programs, Accessories, Notepad, choose File,
then Open then type
C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people
on the list, then delete LISTE.SKA.
> Halo.. temen2x...
> ada yg punya anti virus happy99.exe.. engga ?
> pusing euy...
>
> trias:-)
>
>
===================================
Aditya Purnawarsyah
Technical Dept.
PT. meiTRAco BahanA Sejahtera
mail to: [EMAIL PROTECTED]
===================================
-------------------------------------------------------------------------
Milis id-linux akan dipensiunkan tanggal 14 Maret 1999.
Berita selengkapnya baca di http://www.linux.or.id/berita-19990228-1.php3
_________________________________________________________________________
Utk berhenti langganan kirim email ke [EMAIL PROTECTED]
Sudah cari di arsip? http://www.linux.or.id/milis.php3#arsip-id-linux
Utk info etika diskusi, kirim email kosong ke [EMAIL PROTECTED]
