>Assalamualaikum..., > >Saya telah scan PC saya dan hanya menjumpai virus Win95/CIH ... >saya telah clean file yang infected namun masih menghadapi >masalah yang sama ... seakan virus 99 ini tidak dapat dikesan oleh >virus scan ... hinggalah seorang kawan menghantarkan SKA.html >ini kepada saya ... apabila kita execute file Happy99.exe,program >itu dengan sendirinya akan download file "SKA.exe","wsock32.ska", >"liste.ska" dan "ska.dll" . Cara mudah untuk delete file ini ialah dengan >klik " Start " - " Find " - " Files or folders " - " Named " taip " " SKA >"- >" Find Now " ... keempat - empat file SKA ini akan muncul ... dan anda >hanya perlu deletekan file ini ... ataupun boleh ikut cara yang diberikan >seperti dalam SKA.html. > >Win32/Ska virus spreads via internet/Happy99.exe worm > >anyone with computer infected by Happy99.exe worm, >follow these advice > ><http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM>http://www.ge ocities.com/SiliconValley/Heights/3652/SKA.HTM > >wassalam... >Shamsul MY >Manufacturing Engineering >Western Digital (M) Sdn.Bhd >Contact no. : 03 - 7705478 Ska Virus Information This virus is attached to newsgroup and e-mail messages as an attachment called Happy99.exe. You cannot get infected with this virus just by reading a newsgroup or e-mail message. If you execute an infected attachment, it will display a firework display which looks like this: It will create two files in the Windows System folder, SKA.EXE and SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup of WSOCK32.DLL under the name of WSOCK32.SKA. WSOCK32.DLL is a regular part of Windows that provides a connnection to the Internet. If it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL will be modified next time the computer starts. The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail messages. This virus will keep a list of message recipients in the file LISTE.SKA in the Windows System folder. In my tests(sending an e-mail to myself:) this virus attached itself to a second copy of the e-mail message, with no problems and a barely noticeable delay. The outgoing message contains the header X-Spanska: Yes but this is normally not visible. This virus does not steal passwords, as some sources have reported. It does not contain any payload other than the fireworks display. However, it could overload an e-mail server if a lot of copies get passed around. Also, since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. This virus does not affect Macs, DOS, or Windows 3.x. Some people have asked whether it is always called HAPPY99.EXE. This virus doesn't contain any code to change the name. However, it would be simple for a person to change it to anything they like. It contains the encrypted text: "Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999." Is it a virus, a worm, or a trojan? (Technical Discussion) Removal Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. At the DOS prompt type: CD \WINDOWS\SYSTEM Delete SKA.EXE and, SKA.DLL by typing DEL SKA.EXE DEL SKA.DLL If you get "File not found" you're not infected. Copy WSOCK32.SKA to WSOCK32.DLL by typing COPY WSOCK32.SKA WSOCK32.DLL Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL. Optional Delete WSOCK32.SKA by typing DEL WSOCK32.SKA Return to Windows by typing EXIT Optional Click Start, then Run, then type regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Salam Iwan Indrawan ICQ : 2198035 ---------------------------------------------------------------------------- ---------------------------------------------------------- Ilmu pengetahuan modern membuka mata generasi muda dan mengajari mereka hakikat dan pengetahuan, tetapi tidak mengajari mereka khusyu' dan menangis http://www.hackerlink.or.id - question reality - be paranoid (?) --------------------------------------------------------------------- berhenti dari milis hackerlink : [EMAIL PROTECTED] peraturan pada milis hackerlink : [EMAIL PROTECTED] arsip milis ini : http://www.mail-archive.com/[email protected]
