Happy99 info
Ed Mosher
wa8zvo at JUNO.COM
Sat Mar 27 17:02:53 EST 1999
For those of you who may have this virus and not have access to info,
here's the scoop on this germ. Too bad these people can't funnel their
software skills into useful programs that could help, not hurt users.
Downloaded from this web site: http://datafellows.com/v-descs/ska.htm
Ed Mosher
WA8ZVO at JUNO.COM Formerly "One of the Hams at Heath"
**The most valuable "things" in our lives are not things! **
--------- Begin forwarded message ----------
Subject: Happy99 info
Date: Fri, 26 Mar 1999 15:22:38 -0500
NAME: Ska
ALIAS: Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA, Happy
SIZE: 10000
Win32/Ska.A is a Win32-based e-mail and newsgroup worm. It
displays
fireworks when executed first time as Happy99.exe. (Normally this
file
arrives as an e-mail attachment to a particular PC, or it is
downloaded
from a newsgroup.)
When the Happy99.exe file has been executed, every e-mail and
newsgroup
posting sent from the machine will cause a second message to be
sent.
This will contain the same sender and recipient information but
contains
no text, just the Happy99.exe file itself as an attachment.
Since people will usually receive Happy99.exe from someone they
know (as
you normally get e-mail from someone you know), people tend to
trust
this attachment, and run it.
When executed first time, it creates SKA.EXE and SKA.DLL in the
system
directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed
inside
SKA.EXE. After this Ska creates a copy of WSOCK32.DLL as
WSOCK32.SKA in
the system directory. Then it tries to patch WSOCK32.DLL so that
its
export entries for two functions will point to new routines (to
the
worm's own functions) inside the patched WSOCK32.DLL. If
WSOCK32.DLL is
in use, Ska.A modifies the registry's RunOnce entry to execute
SKA.EXE
during next boot-up. (When executed as SKA.EXE it does not
display the
firework, just tries to patch WSOCK32.DLL until it is not used.)
"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the
worm
is able to see if the local user has any activity on network.
When
"Connect" or "Send" APIs are called, Ska loads its SKA.DLL
containing
two exports: "news" and "mail".
Then it spams itself to the same newsgroups or same e-mail
addresses
where the user was posting or mailing to. It maps SKA.EXE to
memory and
converts it to uuencoded format and mails an additional e-mail or
newsgroup post with the same header information as the original
message
but containing no text but just an attachment called Happy99.exe.
Therefore Happy99 is not limited like the Win32/Parvo virus which
is
unable to use a particular news server when the user does not
have
access to it. The worm also maintains a list of addresses it has
posted
a copy of itself. This is stored in a file called LISTE.SKA. (The
number
of entries are limited in this file.)
The worm contains the following encrytped text which is not
displayed:
Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999.
The mail header of the manipulated mails will contain a new field
called
"X-Spanska: YES". Normally this header field is not visible to
receivers
of the message.
Since the worm does not check WSOCK32.DLL's attribute, it can not
patch
it if it is set to read only.
Please note that after disinfection of this worm you will have to
rename
WSOCK32.SKA back to WSOCK32.DLL in \WINDOWS\SYSTEM folder to
restore all
original Winsock internet capabilities.
--------- End forwarded message ----------
--- --- --- --- --- --- --- --- --- --- --- --- --- --
To subscribe: listserv at listserv.tempe.gov
and in body: subscribe HEATH yourfirstname yourlastname
To unsubscribe: listserv at listserv.tempe.gov
and in body: signoff HEATH
Archives for HEATH: http://www.tempe.gov/archives
--- --- --- --- --- --- --- --- --- --- --- --- --- --
More information about the Heath
mailing list