Mike,
Oh mannnnn...
Ok, if anybody ran the attachment to Mike's last post called
Happy99.exe, please read the below article I wrote for my e-zine when
Happy99/SKA first appeared. It explains what you need to do to get rid
of it.
If any of you did run the Happy99.exe attachment, shame on you. NEVER,
NEVER, NEVER run any attachment that you don't know what it is.
Hopefully your virus scanner definitions were up to date and you were
not infected.
As for Mike, you really need to update your virus definition files, or
install a virus scanning package if you don't have one already.
**** Start article
Name: Happy99/SKA
Category: Worm
What it does:
A non-destructive self replicating program that modifies the infected
computer's WSOCK32.DLL. This modification allows SKA to attach itself
to outgoing e-mail messages and newsgroup posts in an attempt to
further replicate itself.
What to look for:
1. If you ran a program (most likely called Happy99.exe, but it could
have been named anything) and you were presented with a cheesy
fireworks display with the window title of "Happy New Year 1999!!",
then you were most likely infected.
2. If recipients of e-mail from you say that they are receiving two
copies of your messages and one of them has an attachment called
"Happy99.exe", then you are definitely infected.
3. McAfee VirusScan and Norton AntiVirus both now detect the SKA worm.
4. Navigate to your Windows/System directory and look for any file
named SKA. In particular SKA.EXE and WSOCK32.SKA.
How to fix it:
1. Print these steps first.
2. Reboot into DOS mode.
3. Type CD\Windows\System
4. Type DIR SKA.*
You should a file called SKA.EXE
5. Type DEL SKA.*
6. Type DIR WSOCK32.*
You should see two files; WSOCK32.DLL and WSOCK32.SKA. If you do
*not* see WSOCK32.SKA, then skip to step 12.
7. Type REN WSOCK32.DLL SKAWSOCK32.DLL
8. Type REN WSOCK32.SKA WSOCK32.DLL
9. Try to connect to the Internet, send yourself an e-mail. If
everything seems to work fine then:
10. Type DEL SKAWSOCK32.DLL
11. You are all done.
12. Something isn't quite right. You should probably reload the file
WSOCK32.DLL from a reliable source. One such reliable source would
be <http://solo.abac.com/dllarchive/W/wsock32.zip>. Note - You
will need an unZIP program such as WINZIP or PKUNZIP to uncompress
the file first.
13. Do step 7 and come back to here.
14. Unzip the WSOCK32.ZIP file which will contain the file called
WSOCK32.DLL into your Windows\System directory.
15. Try to connect to the Internet, send yourself an e-mail. If
everything seems to work fine, then do step 10 and 11. If
everything is not fine, then continue to step 16.
16. Type DEL WSOCK32.DLL
17. Type REN SKAWSOCK32.DLL WSOCK32.DLL
18. Your system is now still using the modified WSOCK32.DLL. Send me
an e-mail and I'll try to help you further.
Hopefully you didn't have to do step 12 as it was more work, and I
really hope you didn't have to do 16 - 18 as that is going to be a
headache. Other than that, you are now SKA free!!!
A bottle in front of me's better than a frontal lobotomy.
Leif Gregory
--
TBUDL/TBBT List Moderator
ICQ 216395 <[EMAIL PROTECTED]>
Web Site <http://www.pcwize.com>
TBUDL FAQ <http://www.pcwize.com/thebat/faq.shtml>
Using The Bat! 1.38 Beta/5 under Windows 98 4.10 Build 1998
on a Pentium 266 with 64MB.
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
