[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (no subject)
This virus alert was sent to a list I belong to. I am pasting info on
killing it. Hope it helps.
>I think this is the first time that I've received a virus alert that wasn't
>a hoax or urban legend. It's nothing too serious since none of us would
>ever execute an attachment from an untrusted source. Since I have already
>run in to this worm "in the wild" I thought I would pass a long the alert.
>You can find all the info below plus much much more at:
>Happy99.exe Computer Worm
>A computer worm called Happy99.exe, able to send copies of itself by e-mail
>and spam itself to Usenet newsgroups, is making its way around the
>Internet. The worm is currently in the wild in Europe and is already
>spreading around North America.
> The worm arrives as an attachment to e-mail or newsgroup messages and is
> able to infect only when users run this attachment.
>OK everybody, as this odious little piece of code seems to have come to
>play with us as well, here's a little background and how to remove it
>easily and quickly.
>Those who can't be bothered to read all of it,
>1. Delete SKA.EXE and SKA.DLL
>2. Delete WSOCK32.dll
>3. Rename WSOCK32.SKA to be WSOCK32.DLL
>4. Find HAPPY99.EXE and delete it.
>Simply it modifies your WSOCK32.DLL file so that every posting whether by
>mail or to a newsgroup. Please do a quick find on your disk for SKA.EXE, if
>you have it, then get rid of it before sending any more emails.
>HOW TO FIX IT
>The folks at Data Fellows have even more detail about it at
>http://www.datafellows.com. If you go to their site, you can get a virus
>program for free (30 day trial) and a patch which is supposed to fix the
>problem. Pasted below is some info from the download (which includes how
>to fix it):
>This is the first known modern Internet Worm discovered in-the-wild.
>This computer worm is a kind of virus program that to spread its copies
>does not affect disk files as main target, but replicates its copies by
>sending itself to the Internet as an attachment in the e-mail
>messages. The worm had been posted by somebody (maybe by worm author)
>to several news servers in January 1999, and then in few days it was
>discovered In-The-Wild in Europe and continued spreading.
>The worm arrives as an attachment in the e-mails as a HAPPY99.EXE file.
>When an infected attachment is executed and gets control, the worm
>displays a funny firework in a program's window to hide its malicious
>nature. During that, it installs itself into the system, hooks sendings
>to the Internet, converts its code to the attachment and appends it to
>the messages. As a result the worm, when it is installed into the
>system, is able to spread its copies to all the address the messages are
>While installing the worm affects files in the Windows system directory
>only. It creates the SKA.EXE and SKA.DLL files in there, copies the
>WSOCK32.DLL to newly created WSOCK32.SKA and patches the original
>WSOCK32.DLL file to hook email sending calls.
>Removal and Protection
>If the worm is detected in your system you can easy get rid of it just
>by deleting SKA.EXE and SKA.DLL files in the system Windows directory.
>You also should delete the WSOCK32.DLL file and replace it with the
>WSOCK32.SKA original file. The original HAPPY99.EXE file should be also
>located and deleted.
>To protect your computer from re-infection you need just to set
>Read-Only attribute for the WSOCK32.DLL file. The worm does not pay
>attention to Read-Only mode, and fails to patch the file. This trick was
>discovered by Peter Szor at DataFellows (http://www.datafellows.com).
>Do not open and do not execute the HAPPY99.EXE file that you have
>received as an attachment in any message, if you get it from an
>untrusted source and ever trusted source. You should also remember: the
>files that you have got from the Internet can contain malicious code
>that may infect your computer, destroy the data, send confidential files
>to the Internet, or install spy programs to monitor your computer from
>Opening MS Office files with disabled VirusProtection and executing not
>trusted executable files is extremely risky. You should remember about
>that each time you see an attachment in incoming message.
From: owner-killietalk at aka_org [mailto:owner-killietalk at aka_org]On
Behalf Of BRADLEY J HIGGINS
Sent: Monday, February 22, 1999 1:55 AM
To: killietalk at aka_org
Subject: Re: (no subject)
This has been sent everywhere that I sent e-mail to. It sends itself. If you
don't open it, you won't have a problem. I wasn't that smart. Sorry to all
who were tagged. I got stuck thru another list. Just make sure you delete it
from your machine. Brad