Assalamu 'Alaykum,
Dear brothers & sisters,
The posting earlier from Belfast Mosque entitled:
Under the Shade of the Tree (Peter Sanders in Belfast)
contained a virus attached in a file named 'happy 99' with it.
Please try not to open this file. If you have opened it, then try and
delete them from your computer. The list of affected files are listed below.
Our kind brother, Ulf Ibrahim Karlsson has alerted me to this problem.
Please take the necessary action as he suggested.
The virus seemed to have come from one of the hundreds of articles sent to
the BICNews editors for reviews sometime yesterday (Thursday).
Apologies for the inconvenience caused & may Allah reward your efforts & sabr.
Wassalam.
M. 'Afifi.
From: "Ulf Ibrahim Karlsson" <[EMAIL PROTECTED]>
Subject: Viruses!!!
Date: Fri, 5 Feb 1999 23:10:21 +0100
Tonight i received a mail from the Belfast Mosque. The mail
conatined an atteched file (happy99.exe).
It's well known that that file is a "trojan horse" a type of computer virus
that appeares to be harmless (in this case display fireworks on the screen)
while at the same time doing damage to your computer.
This text about happy99.exe is taken from datafellows, the makers of the
F-Prot anti-virus software.
NAME: Win32/Ska.A
ALIAS: Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy
SIZE: 10000
Win32/Ska.A is a Win32-based worm. It displays fireworks when executed first
time as happy99.exe. (Normally this file arrives as an e-mail attachment to
a particular PC, or it is downloaded from a newsgroup.)
When executed first time, it creates SKA.EXE and SKA.DLL in the system
directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside
SKA.EXE. After this Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the
system directory. Then it tries to pacth WSOCK32.DLL so that its export
entries for two functions will point to new routines (to the worm's own
functions) inside the patched WSOCK32.DLL. If WSOCK32.DLL is in use, Ska.A
modifies the registry's RunOnce entry to execute SKA.EXE during next
boot-up. (When executed as SKA.EXE it does not display the firework, just
tries to patch WSCOK32.DLL until it is not used.)
"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is
able to see if the local user has any activity on network. When "Connect" or
"Send" APIs are called, Ska loads its SKA.DLL containing two exports: "news"
and "mail".
Then it spams itself to the same newsgroups or same e-mail addresses where
the user was posting or mailing to. It maps SKA.EXE to memory and converts
it to UU encoded format and manipulates the mail buffer to contain this UU
encoded attachment as happy99.exe.
Therefore it is not limited like Win32/Parvo which is unable to use a
particular news server when the user does not have access to it. The worm
also maintains a list of addresses it has posted a copy of itself. This is
stored in a file called LISTE.SKA. (The number of entries are limited in
this file.)
The worm contains the following encrytped text which is not displayed:
Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999.
The mail header of the manipulated mails will contain a new field called
X-Spanska: YES
Since the worm does not check WSOCK32.DLL's attribute, it can not patch it
if it is set to read only.
[Peter Szor, Data Fellows]
All viruses listed in the Virus description pages can be detected and
removed with Data Fellows Anti-virus and Data Security software.
Please warn the other recipients on the mailinglist, and take action to
clear your computers of the virus.
Salam
Ulwur
Belfast Islamic Centre,
38 Wellington Park,
Belfast BT9 6DN,
Northern Ireland.
44-1232-664465.
BIC Homepage: http://ireland.iol.ie/~afifi
or http://www.ummah.net/bicnews
or http://www.muslimsonline.com/bicnews
---------------------------------------------------------------------
Keluar Keanggotaan, e-mail: [EMAIL PROTECTED]
Dokumentasi Milis : http://www.mail-archive.com/[email protected]
