|
Virus Alert!? |
||||||
|
The first
modern Internet Worm discovered in-the-wild The worm arrives as an attach in the e-mails as a HAPPY99.EXE file.
Note:the affected sender does know that the worm appends attaches on
sending.
When an infected attach is executed and gets control, the worm displays
a funny firework in a program's window to hide its malicious nature.
During that it installs itself into the system, hooks sendings to the
Internet, converts its code to the attach and appends it to the messages.
As a result Removal and Protection
If the worm is detected in your system you can easy get rid of it just
by deleting SKA.EXE and SKA.DLL files in the system Windows directory. You
also should delete the WSOCK32.DLL file and replace it with WSOCK32.SKA
original file. The original HAPPY99.EXE file should be also located and
deleted.
To protect your computer from re-infection you need just to set
Read-Only attribute for the WSOCK32.DLL file. The worm does not pay
attention to Read-Only mode, and fails to patch the file. This trick was
discovered by Peter Szor at DataFellows The special AVP update (HAPPY.AVC database) allows to stop worm
spreading and protect your computer from attach. It is distributed for
free and is available on the AVP Web sites on the world.
Easy to Remember
Do not open and do not execute the HAPPY99.EXE file that you have
received as an attach in any message ever if you get it from trusted
source. You should also remember: the files that you have got from
the Internet can contain malicious code that may infect your computer,
destroy the data, send confidential files to the Internet, or install spy
programs to monitor your computer from remote host.
Opening MS Office files with disabled VirusProtection and executing not
trusted executable files is extremely risky. You should remember about
that each time you see an attach in incoming message.
Technical Details
While installing the worm copies itself to the Windows system directory
with the SKA.EXE name and drops the additional SKA.DLL file in the same
directory. The worm then copies the WSOCK95.DLL with the WSOCK95.SKA name
(makes a "backup") and patches the WSOCK95.DLL file.
If the WSOCK32.DLL is in use and cannot be opened for writing, the worm
creates a new key in the system registry to run its dropper on next
rebooting:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The WSOCK32.DLL patch consists of a worm initialization routine and two
redirected exports. The initialization routine is just a small piece of
worm code - just 202 bytes. It is saved to the end of WSOCK32.DLL code
section (".text" section). The WSOCK95.DLL has enough of space for that,
and the size of WSOCK32.DLL does not increased during infection.
Then the worm patches the WSOCK32.DLL export tables so that two
functions ("connect" and "send") will point to the worm initialization
routine at the end of WSOCK32.DLL code section.
When a user is connecting to the Internet the WSOCK32.DLL is activated,
and the worm hooks two events: connection and data sending. The worm
monitors the nntp and email ports (25 and 119). When it detects connection
by one of these ports, it loads its SKA.DLL library that has two exports:
"mail" and "news". Depending on the port number the worm calls one of
these routines, but both of them create a new message, insert UUencoded
worm HAPPY99.EXE dropper into it, and send to the Internet
address. |
||||||
Happy99 Cleaner Version 2.0 Release date March 8, 1999 File size : 716K License : Free Minimum reqs. : Windows 95/98/NT Approx. download time : 3 min. at 28.8 kbps Download here ! : Happy99 Cleaner Description: This program will safely remove the Happy99 virus from your machine and (if applicable) show you a list of email addresses that you sent the virus to. It will not protect you from further infection--it will only remove the virus from your system. Thank you for the link to : Kathy Helpenstell (Customer of 281 Communications) |