[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Author Index][Search Archives]

RE: DON'T Open Happy99 - Blocking it.




Poster: Mike Dullaghan <michael.f.dullaghan@adn.alcatel.com>

The Data Fellows' Virus information pages also note:

   Since the worm does not check WSOCK32.DLL's attribute, it can not
   patch it if it is set to read only.

On 10-Feb-99 barclayp@LEE.ARMY.MIL wrote:
>
>Greetings to all from Master Terafan:
>
>       The file sent to the Merry Rose by Franklin Ward contains a virus.
>
>The virus is a worm type virus.   Here is some info from Network
>Associates...
>
>====================
>Virus Name: W32/Ska (a.k.a. Happy99.exe)
>
>This page last updated 2/1/99
>
>
>W32/Ska is a worm that was first posted to several newsgroups and has been
>reported to several of the AVERT Labs locations worldwide. When this worm is
>run it displays a message "Happy New Year 1999!!" and displays "fireworks"
>graphics. The posting on the newsgroups has lead to its propagation. It can
>also spread on its own, as it can attached itself to a mail message and be
>sent unknowingly by a user. Because of this attribute it is also considered
>to be a worm.
>AVERT cautions all users who may receive the attachment via email to simply
>delete the mail and the attachment. 
>
>The worm infects a system via email delivery and arrives as an attachment
>called Happy99.EXE. It is sent unknowingly by a user. When the program is
>run it deploys its payload displaying fireworks on the users monitor. 
>
>Note: At this time no destructive payload has been discovered.
>
>When the Happy.EXE is run it copies itself to Windows\System folder under
>the name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL
>into the Windows\System folder if one does not already exist. 
>
>Note: Though the SKA.EXE file is a copy of the original it does not run as
>the Happy.EXE files does, so it does not copy itself again, nor does it
>display the fireworks on the users monitor.
>
>The worm then checks for the existence of WSOCK32.SKA in the Windows\System
>folder, if it does not exist and a the file WSOCK32.DLL does exist, it
>copies the WSOCK32.DLL to WSOCK32.SKA.
>
>The worm then creates the registry entry -
>
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe
>="Ska.exe" 
>
>- which will execute SKA.EXE the next time the system is restarted. When
>this happens the worm patches WSOCK32.DLL and adds hooks to the exported
>functions EnumProtocolsW and WSAAsyncGetProtocolByName. 
>
>The patched code calls two exported functions in SKA.DLL called mail and
>news, these functions allow the worm to attach itself to SMTP e-mail and
>also to any postings to newsgroups the user makes.
========================================================================
Michael the Eclectic, House Falconguard, Barony of Ponte Alto, Atlantia.
Vert, on an inverted chevron or, a reremouse(bat) displayed sable.

Armed man = citizen.  Unarmed man = subject.

Of course these are MY opinions! Whattya think, my EMPLOYER
could've thought this stuff up?
=======================================================================
List Archives, FAQ, FTP:  http://merryrose.atlantia.sca.org/
            Submissions:  atlantia@atlantia.sca.org
        Admin. requests:  majordomo@atlantia.sca.org