[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Author Index][Search Archives]

DON'T Open Happy99




Poster: barclayp@LEE.ARMY.MIL

Greetings to all from Master Terafan:

	The file sent to the Merry Rose by Franklin Ward contains a virus.

The virus is a worm type virus.   Here is some info from Network
Associates...

====================
Virus Name: W32/Ska (a.k.a. Happy99.exe)

This page last updated 2/1/99


W32/Ska is a worm that was first posted to several newsgroups and has been
reported to several of the AVERT Labs locations worldwide. When this worm is
run it displays a message "Happy New Year 1999!!" and displays "fireworks"
graphics. The posting on the newsgroups has lead to its propagation. It can
also spread on its own, as it can attached itself to a mail message and be
sent unknowingly by a user. Because of this attribute it is also considered
to be a worm.
AVERT cautions all users who may receive the attachment via email to simply
delete the mail and the attachment. 

The worm infects a system via email delivery and arrives as an attachment
called Happy99.EXE. It is sent unknowingly by a user. When the program is
run it deploys its payload displaying fireworks on the users monitor. 

Note: At this time no destructive payload has been discovered.

When the Happy.EXE is run it copies itself to Windows\System folder under
the name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL
into the Windows\System folder if one does not already exist. 

Note: Though the SKA.EXE file is a copy of the original it does not run as
the Happy.EXE files does, so it does not copy itself again, nor does it
display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the Windows\System
folder, if it does not exist and a the file WSOCK32.DLL does exist, it
copies the WSOCK32.DLL to WSOCK32.SKA.

The worm then creates the registry entry -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe
="Ska.exe" 

- which will execute SKA.EXE the next time the system is restarted. When
this happens the worm patches WSOCK32.DLL and adds hooks to the exported
functions EnumProtocolsW and WSAAsyncGetProtocolByName. 

The patched code calls two exported functions in SKA.DLL called mail and
news, these functions allow the worm to attach itself to SMTP e-mail and
also to any postings to newsgroups the user makes.
	

-----Original Message-----
From: franklin ward [mailto:grimr@nordicnet.net]
Sent: Wednesday, February 10, 1999 12:45 AM
To: undisclosed-recipients
Subject: (no subject)



Poster: franklin ward <grimr@nordicnet.net>


=======================================================================
List Archives, FAQ, FTP:  http://merryrose.atlantia.sca.org/
            Submissions:  atlantia@atlantia.sca.org
        Admin. requests:  majordomo@atlantia.sca.org

begin 600 winmail.dat
M>)\^(A,7`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````SP<"``H`
M$@`/`!D``P`?`0$@@`,`#@```,\'`@`*`!(`#@`1``,`%@$!"8`!`"$````U
M,$4U-C=%.$5#0S!$,C$Q0C8Y-#`P,#`U030P03@Q,0#V!@$$@`$`$P```$1/
M3B=4($]P96X@2&%P<'DY.0"B!0$-@`0``@````(``@`!`Y`&`#@-```U````
M`P#>/Z]O```#`!>`""`&``````#`````````1@````!2A0``\!,``!X`&(`(
M(`8``````,````````!&`````%2%```!````!````#@N-0`+`,2`""`&````
M``#`````````1@`````&A0````````,`&8`((`8``````,````````!&````
M``&%````````"P`5@`@@!@``````P````````$8``````X4````````+`!J`
M""`&``````#`````````1@`````.A0````````,`%H`((`8``````,``````
M``!&`````!"%`````````P`;@`@@!@``````P````````$8`````$84`````
M```#`!R`""`&``````#`````````1@`````8A0```````!X`'8`((`8`````
M`,````````!&`````#:%```!`````0`````````>`!Z`""`&``````#`````
M````1@`````WA0```0````$`````````'@`?@`@@!@``````P````````$8`
M````.(4```$````!``````````L`BX`+(`8``````,````````!&``````"(
M````````"P"-@`L@!@``````P````````$8`````!8@````````"`0D0`0``
M`#,'```O!P``NPP``$Q:1G64,X$6`P`*`')C<&<Q,C7B,@-#=&5X!4$!`P'W
M_PJ``J0#Y`<3`H`/\P!0!%8_"%4'LA$E#E$#`0(`8VCA"L!S970R!@`&PQ$E
M]C,$1A.W,!(L$3,([PGWMCL8'PXP-1$B#&!C`%"S"PD!9#,V%E`+IV,!,%0@
M1PG1=`N`9P0@=#QO(`=``R`#4@7087-+#K`%P%0$D&%F`'`ZGPJB"H0*@0&1
M'O!H91XP7P,0(+`4$`(P'<)T(*%-F020<GD'\100(&(B(")&'R!N:VP+@"!7
M/0L1(`6@`C`+<00@82#`=FER=7,N'XH@DFTD4R`$`"0A=P6P'G!TI'EP)94N
M("=@2`20VR"P)A%S`W`GP6X"$!XT-0?`="9A:Q#`!!!O8]\',`ZP))`J(!^*
M/2L?*T"E'X16)<-.80>`.B-`(#,R+U-K)#`H81@N:RXN`">`87!PD'DY.2X.
MP&4I)+P[)A$*L&<@L`M@'K`@=9QP9"GA(X`MD#$O+L"_'XL?DRUV)AD3X`5`
M=QZ@]R#!%``%0'`B4#$B'=$4$-9V'Q$#(&X'T',)P`A@NG`D$6XC@!/@!"!B
M">&>(!@@-/``(#4\;V8ADX!!5D525"!,`:#K!"`7L&,IX&D"(`0@)F'<;&0#
M\`$`)U!7(*`#H+\AH"81)F,F$21P`Z!I!4"V9`0`"U%Y)!('@7,P4J8B+G,'
MLUEE"L$Q+L"P.2$A(C:S/-<B-)%[!]`I07,_8`G`+H`P`&/_)T$@DC3R'8$X
MP#MR(+`V&?LW`B#P835#/*`P(0-@,$'[.B,G4$D%0#H0`Z`'0"@0'R$01)!#
MXD)Q1%)O=V[^+!WP)?%%=0)``-`@H".`^41196PXX1WA/7`+<`,@GSV&-L(W
M0"$4/'!K;D<`_1V!;"(@(I$D,"2`!)`G4/I"!9!A2^$XQ"82`D`%$/QB=0ZP
M/)(F$D7B(Z$`D/\$@34T2E$F1"2E.41,83HT]QX"2^(Z<6@=X`#`(B`8(/AC
M96DUL"&31_0'@"%!^R10)#!E24,U8@=P"U`B(/\!`"#P3;$AHDE#-L)3#"=0
MOR2^.^0H<`601&$D,',],/\.L!YP4_A5,5+!(A$VP@K`_P40-;`D$3:B4SHZ
M$!X0,3'Q+G9%6$5%0R?B2I]+J/\[14'1`V!!$3P;-Z`7L#TQ_T13/2`7L$/Q
M/-5",D!G0F8_4:0$8`,`'=!,$1^*3F_[#K`M4$$A43`"'7`H,5[P_U4A'K`D
M<%D`4L)BIC<'/-'_!:`UL0F`)*M@-RYS7;(\*5T%H'`(D&)#2+57"X!D\4<`
M<UQ<!K!9@P(0.L`_$H$\<&]"0J,M(08`2T'_7;<AH0.@#L$?(%D!1S`>0Q\#
M\#N11J-(L4<Q($1,_DQ<QG!R<X(+@"%U;A]O)/\&D$)A(+!U<`>17O`%0`=`
M_T9"(B`.P`0`5TUFE""0"&#\9V@ADW!U(,0F$VT!(B#S.-4%L&EG"X`UX3RB
M=S;_/&(T86N,(-($('<B1S!%\?]\ZGN32(5$T0N`1S!>\`7`_W<C/*@ADV/?
M9.Q7?S/$-V']2#%C@\$"$&_$>#,)\%*@03C"5U-/0TLM@"[_<'$H473_;MA'
M,':Q?.IX,_]:](,%(/&(IG."=R-X,XLQ_VSGB9.-J6WBB+B%/X9)1D'_*?$A
MDQ@@?(!H$7@1`C`B$0(M'XI(2T597TP!B,!!3%]-04-("$E.16Z!3T945_1!
M4I;130W@`V`H$`&`NVZ`B==#"'`8(`(P5E'!ZSI!;H!2/'!/B#%N@2W`N2[B
M/2*:=3]@'XHM4?'?#>!Z$`/P'A$N\6--HGIV_T*D#M%G<R&B664\,F@!"L#_
M,2$[*A/@+I`)\'WT)F,*L)YT2#$$((V:6P-D9$-QO&]O@\$A=0[`-[5F/'"#
M:%$Z4D5N=6U0`V"S'=`7D7-7-K.(H$$I@)IYB#!'%""F5D)Y+1+_5U^B-2."
M`0!<PQVQ)F"DW_\&,2,A=#9<U57G-A)',"&A_R)AI7@>`4<`H:@=TD@#2'G0
M4TU44%0@+57G1=/]'=)N(B!!]1VS-AF$)DDQWFLJ`1_IFYNW8D]\9B'@_SVC
MMV,?A"+``W`M4`-0(N7;-%`C<5M)0AW0.@G`!W#L<D"!T3S08S805T"[X7Y=
M'X0&8`(P+5$)@#80<\4Q`'E',$9E8B1P"L`Y(B`Q,$<P/P(^\#(Z]#0U$,!-
M)16[`&]R:='S%[`4$&0M4H$%(`B0`C!C=:"\='5B:ECQ+5`H76?!<\'D+RL?
MBE`U`G+MN:X\NR\4(#[#CRL/R6_WRG_+CRP83(QB!Q`3T%MR^;VQ05&]L;'P
M+5`V\`)`\'`Z+R\'@"(!E]$[$.\IX`M@`C`',"X$\"X`!;"\9R\?A"=AT6?!
MT6T$`3<Z0LZQS_9`S_[1#$%D]])013$8('$*4!ZPTL(`P+9JNY$#<&_3CQ^$
M?=B@`!X`<``!````#0```"AN;R!S=6)J96-T*0`````"`7$``0```!L````!
MOE4\:1*.TKNSP2L1TJ8C``!:0+JI``-FDV```P`N```````+`"L```````L`
M`@`!````'@!"$`$````J````/#$Y.3DP,C$P,#4T-2Y!04$R,#$U-T!C<W)A
M,BYC<W)A;F5T+F-O;3X````#`/T_Y`0``$``.0`0GK@]2U6^`0,`\3\)!```
M'@`Q0`$````)````0D%20TQ!65```````P`:0``````>`#!``0````D```!"
M05)#3$%94``````#`!E```````,`)@```````P`V```````#`(`0_____PL`
M\A`!`````@%'``$````Y````8SU54SMA/2`[<#U/4D=!3DE:051)3TX[;#U,
M144M25,M,#`T+3DY,#(Q,#(S,34R-5HM-S`T,C,``````@'Y/P$```!-````
M`````-RG0,C`0A`:M+D(`"LOX8(!`````````"]//4]21T%.25I!5$E/3B]/
M53U,144O0TX]4D5#25!)14Y44R]#3CU"05)#3$%94``````>`/@_`0```!,`
M``!"87)C;&%Y+"!0971E<B!#4%0``!X`.$`!````"0```$)!4D-,05E0````
M``(!^S\!````30````````#<IT#(P$(0&K2Y"``K+^&"`0`````````O3SU/
M4D=!3DE:051)3TXO3U4]3$5%+T-./5)%0TE0245.5%,O0TX]0D%20TQ!65``
M````'@#Z/P$````3````0F%R8VQA>2P@4&5T97(@0U!4```>`#E``0````D`
M``!"05)#3$%94`````!```<PR)ZE/4M5O@%```@PSASU%$M5O@$>`#T``0``
M``$`````````'@`=#@$````3````1$].)U0@3W!E;B!(87!P>3DY```>`#40
M`0```$$````\0C`Q-C5$-C$P.#@P1#(Q,4(V.$8P,#`P-4$T,$$X,3$R0T$Y
M1#%`;&5E+6ES+3`P-"YL964N87)M>2YM:6P^``````L`*0``````"P`C````
M```#``80Q/3WAP,`!Q"D"````P`0$``````#`!$0`````!X`"!`!````90``
M`$=2145424Y'4U1/04Q,1E)/34U!4U1%4E1%4D%&04XZ5$A%1DE,15-%3E14
M3U1(14U%4E)94D]314)91E)!3DM,24Y705)$0T].5$%)3E-!5DE255-42$56
M25)54TE305=/4DT``````@%_``$```!!````/$(P,38U1#8Q,#@X,$0R,3%"
M-CA&,#`P,#5!-#!!.#$Q,D-!.40Q0&QE92UI<RTP,#0N;&5E+F%R;7DN;6EL
'/@````!,B`==
`
end
=======================================================================
List Archives, FAQ, FTP:  http://merryrose.atlantia.sca.org/
            Submissions:  atlantia@atlantia.sca.org
        Admin. requests:  majordomo@atlantia.sca.org