[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: regarding happy99 virus

On Fri, 30 Apr 1999 01:33:46 PDT, "Eric Chun" <ericchun@hotmail.com>

>I think the anti-virus programs scan the files for
>virus (code) patterns.
>It's possible that new virus's aren't covered by
>your anti-virus program version, too.  You may want
>to get the free updates for your anti-virus program
>from time to time.

ME: I use McAfee Virus Scan and I have the latest update.  I'm not
sure how other virus checkers work but McAfee, like most of them, will
catch such a virus when it's planted, not when it's downloaded.
(Actually, it's not a virus; it's called a worm program.)

Merely having the Happy99.exe program attached to an e-mail does not
mean you have a worm or virus on your computer.  Running Happy99
releases the worm and that's when McAfee catches it.

Here's some data from the McAfee web-site...


W32/Ska (A.K.A. Happy99.exe) 

W32/Ska is a worm that was first posted to several newsgroups and has
been reported to several of the AVERT Labs locations worldwide. When
this worm is run it displays a message "Happy New Year 1999!!" and
displays "fireworks" graphics. The posting on the newsgroups has lead
to its propagation. It can also spread on its own, as it can attached
itself to a mail message and be sent unknowingly by a user. Because of
this attribute it is also considered to be a worm. 

AVERT cautions all users who may receive the attachment via email to
simply delete the mail and the attachment. The worm infects a system
via email delivery and arrives as an attachment called Happy99.EXE. It
is sent unknowingly by a user. When the program is run it deploys its
payload displaying fireworks on the users monitor. 

Note: At this time no destructive payload has been discovered.

When the Happy.EXE is run it copies itself to Windows\System folder
under the name SKA.EXE. It then extracts, from within itself, a DLL
called SKA.DLL into the Windows\System folder if one does not already

Note: Though the SKA.EXE file file is a copy of the original it does
not run as the Happy.EXE files does, so it does not copy itself again,
nor does it display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the
Windows\System folder, if it does not exist and a the file WSOCK32.DLL
does exist, it copies the WSOCK32.DLL to WSOCK32.SKA.

The worm then creates the registry entry -


- which will execute SKA.EXE the next time the system is restarted.
When this happens the worm patches WSOCK32.DLL and adds hooks to the
exported functions EnumProtocolsW and WSAAsyncGetProtocolByName. 

The patched code calls two exported functions in SKA.DLL called mail
and news, these functions allow the worm to attach itself to SMTP
e-mail and also to any postings to newsgroups the user makes.

Mark Evanier's e-mail address is: me@evanier.com
OFFICE: 363 S. Fairfax Ave., #303 - Los Angeles, CA 90036