Virus Information

Paul Prusakowski

Description

Title:

Virus Information

Creator:

Paul Prusakowski

Date:

4/11/1999

Text:

Hello,

This is the first time that our list has been exposed to a virus/worm. The
recent Melissa incident had definitely been an eye opener for all of us, and
hopefully encouraged you to all look into virus protection/removal software.

For those of you who are not fully informed, I would recommend that you
check out www.mcaffee.com to learn more about viruses and what you can do to
protect your computer and your files. There is a fully functional program
for you to download and evaluate. I would highly recommend that you do
that.

Norton also makes a very good product, and has a lot of great info at their
website which is www.norton.com.

The following is information that was posted at the Norton site regarding
the virus/worm that was introduced to our list.

Have a good day.

Paul E. Prusakowski, CPO
Moderator, OANDP-L
O&P Clinical Technologies
Gainesville, FL




  Happy99.Worm
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: World Wide
Characteristics: Trojan Horse, Worm



Description:


This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled Happy New
Year 1999 !! showing a firework display to disguise its other actions. The
program copies itself as SKA.EXE and extracts a DLL that it carries as
SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when a
connect or send activity is detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
a new article with UUENCODED HAPPY99.EXE inserted into the email or article.
It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.


Removing the worm manually:


delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
delete the downloaded file, usually named HAPPY99.EXE
Windows prevents you to do step #3 and #4 above if the machine is still
connected to the Internet. The file windows\system\wsock32.dll is used
whenever the machine is connected to Internet (i.e. through dial-up or LAN
connection).


If you are using dial-up connection (i.e. America Online), you need to do
the following:


terminate internet connection
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
delete the downloaded file, usually named HAPPY99.EXE

If you are connected to Internet through LAN (i.e. in the office or cable
modem), you need to do the following:


From the Start menu, select shutdown-restart in MS DOS mode
type CD \windows\system when DOS prompt (C:\)appears
type RENAME WSOCK32.DLL WSOCK32.BAK
type RENAME WSOCK32.SKA WSOCK32.DLL
type DEL SKA.EXE
type DEL SKA.DLL


Safe Computing:


This worm and other trojan-horse type programs demonstrate the need to
practice safe computing. One should not execute any executable-file
attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email or
a newsgroup article from an untrusted source.

Norton AntiVirus users can protect themselves from this virus by downloading
the current virus definitions either through LiveUpdate or from the
following webpage:

<URL Redacted>

Write-up by: Raul K. Elnitiarta
March 2, 1999

Citation

Paul Prusakowski, “Virus Information,” Digital Resource Foundation for Orthotics and Prosthetics, accessed November 2, 2024, https://library.drfop.org/items/show/211576.