Colleagues,
Recent mail on Tips from "Marie Helweg-Larsen"
<[EMAIL PROTECTED]> also contained what is know as a "Worm,"
aprogram that replicates itself (this one of DOS machines) and transmits
itself to other computers via email. You received an attachemntfile titled
Happy99.exe
DO NOT RUN THIS FILE
You will get pretty pictures and it will then do its replication. For
information on how to remove this from your machine, look at:
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
the Symantec antivirus site documentation page for this worm. I have copied
the text from this web page below (somewhat reformated to remove web
wierdness). Remember, a warning is not a hoax if it contains documentation.
Happy and safe computing,
-Chuck
- Chuck Huff; 507.646.3169; http://www.stolaf.edu/people/huff/
- Psychology Department, St.Olaf College, Northfield, MN 55057
-----------------------------
Happy99.Worm
VirusName:Happy99.Worm
Aliases:Trojan.Happy99, I-Worm.Happy
Likelihood:Common
Region Reported:US, Europe
Characteristics:Trojan Horse, Worm
Description:
This is a worm program, NOT a virus. This program has reportedly been received
through email spamming and USENET newsgroup posting. The file is usually named
HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy New Year
1999 !!" showing a firework display to disguise its other actions. The program
copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM
directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification
to WSOCK32.DLL allows the worm routine to be triggered when a connect or send
activity is detected. When such online activity occurs, the modified code loads
the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with
UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this
email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
5.delete the downloaded file, usually named HAPPY99.EXE
Windows prevents you to do step #3 and #4 above if the machine is still
connected
to the Internet. The file "windows\system\wsock32.dll" is used whenever the
machine is connected to Internet (i.e. through dial-up or LAN connection).
If you are using dial-up connection (i.e. America Online), you need to do the
following:
1.terminate internet connection
2.delete WINDOWS\SYSTEM\SKA.EXE
3.delete WINDOWS\SYSTEM\SKA.DLL
4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
5.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
6.delete the downloaded file, usually named HAPPY99.EXE
If you are connected to Internet through LAN (i.e. in the office or cable
modem),
you need to do the following:
1.From the Start menu, select shutdown-restart in MS DOS mode
2.type CD \windows\system when DOS prompt (C:\)appears
3.type RENAME WSOCK32.DLL WSOCK32.BAK
4.type RENAME WSOCK32.SKA WSOCK32.DLL
5.type DEL SKA.EXE
6.type DEL SKA.DLL
Safe Computing:
This worm and other trojan-horse type programs demonstrate the need to practice
safe computing. One should not execute any executable-file attachment (EXE,
SHS,
MS Word or MS Excel file) that comes from an email or a newsgroup article
from an
untrusted source.
Norton AntiVirus users can protect themselves from this virus by
downloading the
current virus definitions either through LiveUpdate or from the following
webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Raul K. Elnitiarta
March 2, 1999
