Re: virus

[Ron Force <rforce@uidaho.edu>]

"B. J. Swanson" wrote:
> 
> Neither the McAfee or Command Virus check caught happy99.exe on my computer.
> Is there another virus checker that will work?  What does happy99 do?
> 
> B. J. Swanson
> Troy
> bjswan@moscow.com

It has no adverse afects, other than annoyance: however, it reportedly
has caused some e-mail servers to crash.

>From the Norton Website:

Happy99.Worm VirusName: Happy99.Worm 
Aliases: Trojan.Happy99, I-Worm.Happy 
Likelihood: Common Region Reported: US, Europe 
Characteristics: Trojan Horse, Worm

Description:

This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file
is usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New
Year 1999 !!" showing a firework display to disguise its other actions.
The program copies itself as SKA.EXE and extracts a DLL that it carries
as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL
in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when
a connect or send activity is detected. When such online activity
occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates
a new email or a new article with UUENCODED HAPPY99.EXE inserted into
the email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user
is online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.


Removing the worm manually:

1.delete WINDOWS\SYSTEM\SKA.EXE 
2.delete WINDOWS\SYSTEM\SKA.DLL 
3.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK 
4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL 
5.delete the downloaded file, usually named HAPPY99.EXE 

Windows prevents you to do step #3 and #4 above if the machine is still
connected to the Internet. The file "windows\system\wsock32.dll" is used
whenever the machine is connected to Internet (i.e. through dial-up or
LAN connection).


If you are using dial-up connection (i.e. America Online), you need to
do the following:

1.terminate internet connection 
2.delete WINDOWS\SYSTEM\SKA.EXE 
3.delete WINDOWS\SYSTEM\SKA.DLL 
4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK 
5.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL 
6.delete the downloaded file, usually named HAPPY99.EXE 


If you are connected to Internet through LAN (i.e. in the office or
cable modem), you need to do the following:

1.From the Start menu, select shutdown-restart in MS DOS mode 
2.type CD \windows\system when DOS prompt (C:\)appears 
3.type RENAME WSOCK32.DLL WSOCK32.BAK 
4.type RENAME WSOCK32.SKA WSOCK32.DLL 
5.type DEL SKA.EXE 
6.type DEL SKA.DLL 
Safe Computing:

This worm and other trojan-horse type programs demonstrate the need to
practice safe computing. One should not execute any executable-file
attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email
or a newsgroup article from an untrusted source.

Norton AntiVirus users can protect themselves from this virus by
downloading the current virus definitions either through LiveUpdate or
from the following webpage:

http://www.symantec.com/avcenter/download.html

Write-up by: Raul K. Elnitiarta March 2, 1999 
***********************************************************************
Ron Force					rforce@uidaho.edu
Dean of Library Services			(208) 885-6534
University of Idaho				Moscow 83844-2350
************************************************************************