[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (no subject)

To: <killietalk at aka_org>
Subject: RE: (no subject)
From: "unicoon" <unicoon at wt_net>
Date: Mon, 22 Feb 1999 13:31:43 -0600
Importance: Normal
In-Reply-To: <01be5e38$a9b762e0$740a9cd1@brad>

This virus alert was sent to a list I belong to.  I am pasting info on
killing it.  Hope it helps.
Michelle Sykes
Hello All
>
>I think this is the first time that I've received a virus alert that wasn't
>a hoax or urban legend. It's nothing too serious since none of us would
>ever execute an attachment from an untrusted source. Since I have already
>run in to this worm "in the wild" I thought I would pass a long the alert.
>You can find all the info below plus much much more at:
>http://www.datafellows.com/
>
>Paul
>
>
>
>
>Happy99.exe Computer Worm
>
>A computer worm called Happy99.exe, able to send copies of itself by e-mail
>and spam itself to Usenet newsgroups, is making its way around the
>Internet. The worm is currently in the wild in Europe and is already
>spreading around North America.
>
> The worm arrives as an attachment to e-mail or newsgroup messages and is
> able to infect only when users run this attachment.
>
>
>
>
>OK everybody, as this odious little piece of code seems to have come to
>play with us as well, here's a little background and how to remove it
>easily and quickly.
>
>Those who can't be bothered to read all of it,
>1. Delete SKA.EXE and SKA.DLL
>2. Delete WSOCK32.dll
>3. Rename WSOCK32.SKA to be WSOCK32.DLL
>4. Find HAPPY99.EXE and delete it.
>
>Simply it modifies your WSOCK32.DLL file so that every posting whether by
>mail or to a newsgroup. Please do a quick find on your disk for SKA.EXE, if
>you have it, then get rid of it before sending any more emails.
>
>Rgds
>
>Andrew
>---------------
>
>HOW TO FIX IT
>-------------------------
>The folks at Data Fellows have even more detail about it at
>http://www.datafellows.com. If you go to their site, you can get a virus
>program for free (30 day trial) and a patch which is supposed to fix the
>problem. Pasted below is some info from the download (which includes how
>to fix it):
>
>This is the first known modern Internet Worm discovered in-the-wild.
>This computer worm is a kind of virus program that to spread its copies
>does not affect disk files as main target, but replicates its copies by
>sending itself to the Internet as an attachment in the e-mail
>messages.   The worm had been posted by somebody (maybe by worm author)
>to several news servers in January 1999, and then in few days it was
>discovered In-The-Wild in Europe and continued spreading.
>
>The worm arrives as an attachment in the e-mails as a HAPPY99.EXE file.
>When an infected attachment is executed and gets control, the worm
>displays a funny firework in a program's window to hide its malicious
>nature. During that, it installs itself into the system, hooks sendings
>to the Internet, converts its code to the attachment and appends it to
>the messages. As a result the worm, when it is installed into the
>system, is able to spread its copies to all the address the messages are
>sent to.
>
>While installing the worm affects files in the Windows system directory
>only. It creates the SKA.EXE and SKA.DLL files in there, copies the
>WSOCK32.DLL to newly created WSOCK32.SKA and patches the original
>WSOCK32.DLL file to hook email sending calls.
>
>Removal and Protection
>----------------------
>If the worm is detected in your system you can easy get rid of it just
>by deleting SKA.EXE and SKA.DLL files in the system Windows directory.
>You also should delete the WSOCK32.DLL file and replace it with the
>WSOCK32.SKA original file. The original HAPPY99.EXE file should be also
>located and deleted.
>
>To protect your computer from re-infection you need just to set
>Read-Only attribute for the WSOCK32.DLL file. The worm does not pay
>attention to Read-Only mode, and fails to patch the file. This trick was
>discovered by Peter Szor at DataFellows (http://www.datafellows.com).
>
>Please Remember
>---------------
>Do not open and do not execute the HAPPY99.EXE file that you have
>received as an attachment in any message, if you get it from an
>untrusted source and ever trusted source. You should also remember: the
>files that you have got from the Internet can contain malicious code
>that may infect your computer, destroy the data, send confidential files
>to the Internet, or install spy programs to monitor your computer from
>remote host.
>
>Opening MS Office files with disabled VirusProtection and executing not
>trusted executable files is extremely risky. You should remember about
>that each time you see an attachment in incoming message.
>
>
>

-----Original Message-----
From: owner-killietalk at aka_org [mailto:owner-killietalk at aka_org]On
Behalf Of BRADLEY J HIGGINS
Sent: Monday, February 22, 1999 1:55 AM
To: killietalk at aka_org
Subject: Re: (no subject)


This has been sent everywhere that I sent e-mail to. It sends itself. If you
don't open it, you won't have a problem. I wasn't that smart. Sorry to all
who were tagged. I got stuck thru another list. Just make sure you delete it
from your machine.    Brad

References:

Re: (no subject)

From: "BRADLEY J HIGGINS" <SLUMLORD98 at prodigy_net>

Prev by Date: Re: InterScan Virus Alert
Next by Date: Worms and viruses
Prev by thread: Re: (no subject)
Next by thread: RE: (no subject)
Index(es):
- Date
- Thread