Peter,
THANK'S A LOT FOR THIS ADVICE.
I CAN IMAGINE HOW OTHER PEOPLE WOULD BE ANNOYED WITH THIS (NON-VIRUS) WORM
RECEIVED FROM MY MESSAGES.
Gatot Purnomo
GEOINFO - Business Geographic Consultant
"MapData Source, GIS & Mapping Consultant"
JAKARTA - INDONESIA
Tel. 62-21- 8200167, Fax. 82405373
Mobile Ph. 62-811-151247
E-Mail: [EMAIL PROTECTED]
-----Original Message-----
From: Doyle, Peter <[EMAIL PROTECTED]>
To: Mapinfo Forum <[EMAIL PROTECTED]>
Date: Monday, March 08, 1999 7:46 AM
Subject: MI Info on HAPP99 virus
>The following is information extracted from the following web site
>
>http://www.symantec.com/avcenter/venc/data/happy99.worm.html
>
>___________________________________________________________________________
_
>________
>
>Happy99.Worm
>
>VirusName:Happy99.WormAliases:Trojan.Happy99,
>I-Worm.HappyLikelihood:CommonRegion Reported:US,
>EuropeCharacteristics:Trojan Horse, Worm
>
>This is a worm program, NOT a virus. This program has reportedly been
>received through email spamming and USENET newsgroup posting. The file is
>usually named HAPPY99.EXE in the email or article attachment.
>
>When being executed, the program also opens a window entitled "Happy New
>Year 1999 !!" showing a firework display to disguise its other actions. The
>program copies itself as SKA.EXE and extracts a DLL that it carries as
>SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
>WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
>WSOCK32.SKA.
>
>WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
>modification to WSOCK32.DLL allows the worm routine to be triggered when a
>connect or send activity is detected. When such online activity occurs, the
>modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
>a new article with UUENCODED HAPPY99.EXE inserted into the email or
article.
>It then sends this email or posts this article.
>
>If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
>online), the worm adds a registry entry:
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EX
E
>
>The registry entry loads the worm the next time Windows start.
>
>Removing the worm manually:
>
>1.delete WINDOWS\SYSTEM\SKA.EXE 2.delete WINDOWS\SYSTEM\SKA.DLL 3.in
>WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK 4.in
>WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL 5.delete the
>downloaded file, usually named HAPPY99.EXE
>
>Windows prevents you to do step #3 and #4 above if the machine is still
>connected to the Internet. The file "windows\system\wsock32.dll" is used
>whenever the machine is connected to Internet (i.e. through dial-up or LAN
>connection).
>
>If you are using dial-up connection (i.e. America Online), you need to do
>the following:
>
>1.terminate internet connection 2.delete WINDOWS\SYSTEM\SKA.EXE 3.delete
>WINDOWS\SYSTEM\SKA.DLL 4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL
to
>WSOCK32.BAK 5.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to
>WSOCK32.DLL 6.delete the downloaded file, usually named HAPPY99.EXE
>
>If you are connected to Internet through LAN (i.e. in the office or cable
>modem), you need to do the following:
>
>1.From the Start menu, select shutdown-restart in MS DOS mode 2.type CD
>\windows\system when DOS prompt (C:\)appears 3.type RENAME WSOCK32.DLL
>WSOCK32.BAK 4.type RENAME WSOCK32.SKA WSOCK32.DLL 5.type DEL SKA.EXE 6.type
>DEL SKA.DLL
>
>Safe Computing:
>
>This worm and other trojan-horse type programs demonstrate the need to
>practice safe computing. One should not execute any executable-file
>attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email or
>a newsgroup article from an untrusted source.
>
>
>Regards
>Peter
>----------------------------------------------------------------------
>To unsubscribe from this list, send e-mail to [EMAIL PROTECTED] and put
>"unsubscribe MAPINFO-L" in the message body, or contact [EMAIL PROTECTED]
----------------------------------------------------------------------
To unsubscribe from this list, send e-mail to [EMAIL PROTECTED] and put
"unsubscribe MAPINFO-L" in the message body, or contact [EMAIL PROTECTED]
