Hmmm,
i've send my apologies earlier. I was unkowing infected by this virus. I
got it from another mailing_list of sun : [EMAIL PROTECTED](thu
25/02/1999 13:05 by S.N. Prasanna)
It was --just like my message-- an empty mail including a happy99.exe-file,
which i executed. After i send a message to the Servlet-interest
mailing-list, i got multiple warnings from several servers.
When infected by this virus, every outgoing mail gets followed by another
mail with no body and only containing this virus as an attachement. When i
got the warnings i removed the virus from my system and warned the people
which received this virus from me. --The virus keeps a list with the
adresses where he send the file to (only two in my case wich included this
list).
I hope i haven't troubled people with this virus, but i was just a victim
like the other people who executed this file.
Because of the attention this subject recieved, i thought averyone was
informed about this virus actions. Reading the previous mails it seemed
some people are still unknowing about this virus and unwilling to understand
this could have happend to them too.
So, my apologies *again*.
This list is a great resource for me, so i have -and hadn't-- no intentions
spoiling it.
here are some of the reactions i got after i got infected by this virus,
including a manual to remove the virus from your system.
Regards,
Mark
the message from Rimon Barr after the infected email from mr Prasana (the
mail i got infected from)
*** [EMAIL PROTECTED] thu 25/02 14:42 ***
Dear JSP Readers -
A previous message contained a file by the name of Happy99.exe.
Do not execute this file. It is very likely a worm. There is a detailed
explanation at:
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
Mr. Prasanna -
Please take measures to fix the appropriate DLLs. Thereafter, also inform
all people you have emailed since running that executable, because this
worm piggybacks your email transmissions. And in future, exercise more
caution before granting executables access to your machine.
All the best,
Rimon.
--
*
| Rimon Barr, Ph.D. student, Computer Science, Cornell University.
| Email: [EMAIL PROTECTED]
| WWW: http://www.cs.cornell.edu/home/barr/
|
| "Remember no man is a failure who has friends."
| -- Clarence Odbody, It's a Wonderful Life
+----
**********************************
the uninstall procedure Hendrik Schreiber send to this list:
This is a trojan. DON'T EXECUTE IT.
Some more information follows.
This info is not from me, I didn't test what it suggests. In fact I don't
even
know exactly who it is from. Anyway: it seems useful.
Ska Virus
Information
This virus is attached to newsgroup and e-mail messages as an
attachment called Happy99.exe. You cannot get infected with this virus
just by reading a newsgroup or e-mail message. If you execute an
infected attachment, it will display a firework display. This display
will look like this:
It will create two files in the Windows System folder, SKA.EXE and
SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup
of WSOCK32.DLL under the name of WSOCK32.SKA. If it is unable to
modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of
the registry and WSOCK32.DLL will be modified next time the computer
starts. The modified WSOCK32.DLL will attach HAPPY99.EXE to a second
copy of outgoing newsgroup and e-mail messages. In my tests(sending an
e-mail to myself:) this virus attached itself to a second copy of the
e-mail message, with no problems and a barely
noticeable delay. This virus will keep a list of message recipients in
the file LISTE.SKA in the Windows System folder.
Some people have asked whether it is always called HAPPY99.EXE. This
virus doesn't contain any code to change the name. However, it would
be simple for a person to change it to anything they like.
It contains the text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Removal
Click Start, then Shut Down, then "Restart Computer in MS-DOS mode"
At the DOS prompt type:
CD \WINDOWS\SYSTEM
Delete SKA.EXE, SKA.DLL, and WSOCK32.DLL by typing
DEL SKA.EXE
DEL SKA.DLL
DEL WSOCK32.DLL
Rename WSOCK32.SKA to WSOCK32.DLL by typing
REN WSOCK32.SKA WSOCK32.DLL
Return to Windows by typing
EXIT
Optional Click Start, then Run, then type regedit in the text box,
then click OK. Click HKEY_LOCAL_MACHINE, then Software, then
Microsoft, then Windows, then CurrentVersion. Under RunOnce check for
SKA.EXE and select it if it is there. Press delete and then click Yes.
Close Regedit. Optional Start Notepad and open the file LISTE.SKA.
Warn the people on the list, then delete LISTE.SKA
Mark Minnoye wrote:
> Name: Happy99.exe
> Happy99.exe Type: unspecified type (application/octet-stream)
> Encoding: x-uuencode
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
--
- - - - - - - - - - - - - - - - - - - - - - - -
The WebApp Framework ~ http://www.webapp.de/
**************************
a reaction from Kevin Mukhar:
You appear to be infected with the Happy99 worm. I recently received a
posting from Sun's Servlet list from you. Attached to the post was the file
Happy99.exe, which is an internet worm. For more information see
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
Kevin Mukhar
*********************
I hope this clears the hard feelings ; i'm also a victim, not an abuser.
Mark
-----Oorspronkelijk bericht-----
Van: Thad Humphries <[EMAIL PROTECTED]>
Aan: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Datum: donderdag 25 februari 1999 21:54
Onderwerp: Re: Servlet Bean
>>That's what I'd like to know... Is there any reason why this Mark guy is
>>allowed to have an account at all? Can we complain to his ISP and, of
>>course, kick his sorry ass off the list?
>
>Well, it's a shame it happened and I hope no one got burned. Complain to
>his ISP, yes, but (IMHO) kicking him off could be premature. I have a
>friend who was unknowingly infected with happy99.exe and only became aware
>of it when one of her messages--with happy attached--went out to a list to
>which she was a long time and esteemed member. And then folks had to tell
>her about it. She went thru hell purging it, too. Although "Mark"s
>message had no body, which one of us hasn't accidently sent a premature
>message or had a text body lost or garbled? Plenty time in my career, and
>I've been at this since MILNET. Let him explain...
>
>--------------------------------------------------------------------------
>Thad Humphries "But let justice roll on like a river,
>Software Engineer (aka, Nerd) righteousness like a never-failing
>Phone: 540/675-3015, ext. 225 stream." - Amos 5:24, NIV
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
