Win32/Ska virus spreads via internet (aka HAPPY99.EXE)

Lucien (lucien@writeme.com)
Sun, 21 Feb 1999 18:46:22 -0800
Messages sorted by:[ date ][ thread ][ subject ][ author ]
This is a multi-part message in MIME format.
--------------F2E610CB4B16AEA2EFC9791B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

perhaps better reconised as HAPPY99.EXE
it got me and i guess i passed it on to some of you folks
search for ska.??? plus visit the site ok

http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM

--------------F2E610CB4B16AEA2EFC9791B
Content-Type: text/html; charset=iso-8859-1; name="SKA.HTM"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; filename="SKA.HTM"
Content-Base: "http://www.geocities.com/SiliconValley
	/Heights/3652/SKA.HTM"


<!-- <SERVICE NAME=3D"watermark"> -->
<SCRIPT LANGUAGE=3D"javascript1.2" SRC=3D"http://www.geocities.com/includ=
e/watermark/v2/lib.js"></SCRIPT>
<SCRIPT LANGUAGE=3D"javascript1.2">
<!--
var args=3D new Array;

assignArrays("Computers & Technology", "Computers_and_Technology");

//-->
</SCRIPT>
<SCRIPT LANGUAGE=3D"javascript1.2" SRC=3D"http://www.geocities.com/includ=
e/watermark/v2/ns.js">
</SCRIPT>
<!-- </SERVICE> -->
<HTML><HEAD><TITLE>Win32/Ska virus spreads via internet</TITLE></HEAD>

<BODY>

<!-- <SERVICE NAME=3D"geoguide"> -->
<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" bgcolor=3D#FFFFFF=
 width=3D468>
<tr><td width=3D101><a href=3D"http://www.geocities.com/" target=3D"_top"=
><img width=3D"101" height=3D"12" src=3D"http://pic.geocities.com/images/=
geoguideII/logo_b.gif" border=3D"no" LOWSRC=3D"http://pic.geocities.com/i=
mages/pixel.gif" ALT=3D"GeoCities"></a></td><td nowrap rowspan=3D2><a hre=
f=3D"/cgi-bin/geoguide/geoguide_rank" target=3D"_top"><img width=3D"102" =
height=3D"12" src=3D"http://pic.geocities.com/images/geoguideII/rank_b.gi=
f" border=3D"no" hspace=3D0 LOWSRC=3D"http://pic.geocities.com/images/pix=
el.gif" ALT=3D"Rank My Site"></a><img width=3D"86" height=3D"12" src=3D"h=
ttp://pic.geocities.com/images/geoguideII/tour_ghost_b.gif" border=3D"no"=
 hspace=3D0 LOWSRC=3D"http://pic.geocities.com/images/pixel.gif" ALT=3D"T=
ake A Tour"><a href=3D"/cgi-bin/homestead/ans_entry" target=3D"_top"><img=
 width=3D"98" height=3D"12" src=3D"http://pic.geocities.com/images/geogui=
deII/guestbook_b.gif" border=3D"no" hspace=3D0 LOWSRC=3D"http://pic.geoci=
ties.com/images/pixel.gif" ALT=3D"My Guestbook"></a><a href=3D"http://hig=
htechchat.geocities.com/" target=3D"_top"><img width=3D"57" height=3D"12"=
 src=3D"http://pic.geocities.com/images/geoguideII/chat_b.gif" border=3D"=
no" hspace=3D0 LOWSRC=3D"http://pic.geocities.com/images/pixel.gif" ALT=3D=
"Chat"></a><br><a href=3D"/cgi-bin/search/direct_topic" target=3D"_top"><=
img width=3D"96" height=3D"11" src=3D"http://pic.geocities.com/images/geo=
guideII/pages_b.gif" border=3D"no" hspace=3D0 LOWSRC=3D"http://pic.geocit=
ies.com/images/pixel.gif" ALT=3D"Pages Like Mine"></a><a href=3D"/search/=
" target=3D"_top"><img width=3D"89" height=3D"11" src=3D"http://pic.geoci=
ties.com/images/geoguideII/search_b.gif" border=3D"no" hspace=3D0 LOWSRC=3D=
"http://pic.geocities.com/images/pixel.gif" ALT=3D"Search"></a><a href=3D=
"/cgi-bin/geoguide/geoguide_sendform" target=3D"_top"><img width=3D"94" h=
eight=3D"11" src=3D"http://pic.geocities.com/images/geoguideII/send_b.gif=
" border=3D"no" hspace=3D0 LOWSRC=3D"http://pic.geocities.com/images/pixe=
l.gif" ALT=3D"Send This Page"></a><a href=3D"/features/forums/" target=3D=
"_top"><img width=3D"64" height=3D"11" src=3D"http://pic.geocities.com/im=
ages/geoguideII/forums_b.gif" border=3D"no" hspace=3D0 LOWSRC=3D"http://p=
ic.geocities.com/images/pixel.gif" ALT=3D"Forums"></a></td><td rowspan=3D=
2><a href=3D"/cgi-bin/geoguide/emailMe" target=3D"_top"><img width=3D"26"=
 height=3D"23" src=3D"http://pic.geocities.com/images/geoguideII/email_b.=
gif" border=3D"no" hspace=3D0 LOWSRC=3D"http://pic.geocities.com/images/p=
ixel.gif" ALT=3D"Email Me"></a></td></tr><tr><td><a href=3D"/SiliconValle=
y/" target=3D"_top"><img width=3D"101" height=3D"12" src=3D"http://pic.ge=
ocities.com/images/geoguideII/nh_siliconvalley_b.gif" border=3D"no" hspac=
e=3D0 LOWSRC=3D"http://pic.geocities.com/images/pixel.gif" ALT=3D"Silicon=
Valley"></a></td></tr><tr></tr><tr></tr></table>

<IFRAME WIDTH=3D"468" HEIGHT=3D"60" NORESIZE SCROLLING=3D"no" FRAMEBORDER=
=3D"0" MARGINHEIGHT=3D"0" MARGINWIDTH=3D"0" SRC=3D"http://adforce.imgis.c=
om/?adiframe|2.0|25|11610|1|1|key=3Dnone;misc=3D102999128;loc=3D600;targe=
t=3Dtop">
<SCRIPT LANGUAGE=3D"javascript" SRC=3D"http://adforce.imgis.com/?addyn|2.=
0|25|11610|1|1|key=3Dnone;misc=3D102999128;loc=3D700;">
</SCRIPT>
<NOSCRIPT>
<A HREF=3D"http://adforce.imgis.com/?adlink|2.1|25|11610|1|1|key=3Dnone;m=
isc=3D102999128;loc=3D300;" TARGET=3D"_top">
<IMG SRC=3D"http://adforce.imgis.com/?adserv|2.1|25|11610|1|1|key=3Dnone;=
misc=3D102999128;loc=3D300;" WIDTH=3D"468" HEIGHT=3D"60" BORDER=3D"0" ALT=
=3D"GeoGuide AD"></A>
</NOSCRIPT>
</IFRAME>
<br>


<!-- </SERVICE> -->

<H1>Ska Virus</H1>

This page has been translated into the following languages:
<UL>
<LI><A HREF=3Dhttp://www.null.nu/happy99>Japanese</A>
</UL>
If you translated this information into another language,
please send the address of the site so I can add it to the list.

<H2>Information</H2>
This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. <B>You cannot get infected with this virus just by re=
ading
a newsgroup or e-mail message. You have to execute the attachment. Almost=
 always, the person who sent it does not know that they are sending it ou=
t. It does not show up in their Outbox.</B>
If you execute an infected attachment, it
will display a firework display which looks like this:<P>
<IMG SRC=3DSKA.GIF>
<P>
It will create two files in the Windows System folder, SKA.EXE and SKA.DL=
L.
SKA.EXE will be a copy of HAPPY99.EXE.
It will make a backup of WSOCK32.DLL under the name of WSOCK32.SKA.
Then it will modify WSOCK32.DLL so it will try to access SKA.DLL while po=
sting to Usenet and sending E-Mail using the SMTP
protocol. It does not modify any
other file besides WSOCK32.DLL.
WSOCK32.DLL is a regular part of Windows that provides a connnection to t=
he
Internet. If it is
unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce sec=
tion
of the registry and WSOCK32.DLL will be modified next time the computer
starts. The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy=
 of
outgoing newsgroup and e-mail messages. This second copy will have the
same subject and recipient, but it will have an empty body.
This virus will keep a list of
message recipients in the file LISTE.SKA in the Windows System folder. It=
 will not send the Happy99.exe file twice to the
same person.<P>

In my tests(sending an e-mail to myself:) this
virus attached itself to a second copy of the e-mail message, with no pro=
blems
and a barely noticeable delay.
The outgoing message contains the header
<PRE>X-Spanska: Yes</PRE> but this is normally not visible.<P>

This virus does <STRONG>not</STRONG> steal passwords, as some sources hav=
e reported.
It does not contain any payload other than the fireworks display. However=
, it
could overload an e-mail server if a lot of copies get passed around. Als=
o, since
it gets passed along a lot, a
different virus could attach to HAPPY99.EXE somewhere along the way.
Without SKA.DLL and SKA.EXE, the modified WSOCK32.DLL cannot perform any =
viral
action. However using a modified WSOCK32.DLL <I>could</I> cause problems =
while
on the Internet. Restoring the original WSOCK32.DLL will correct these
problems.<P>

This virus does <STRONG>not</STRONG> affect Macs, DOS, Windows 3.x, OS/2,=

Linux or WebTV. However, someone using one of those could pass it along
manually, for example by forwarding the message. Under Windows NT it will=
 create SKA.EXE, SKA.DLL, and WSOCK32.SKA but will fail to add itself to =
the registry or modify
WSOCK32.DLL. If you have NT, you don't have to follow the removal steps.<=
P>

Some people have asked whether it is always called HAPPY99.EXE. This viru=
s
doesn't contain any code to change the name. However, it would be simple =
for a
person to change it to anything they like.<P>

It contains the encrypted text:
<PRE>
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
</PRE>

Spanska is the alias of a virus writer who has written several other viru=
ses.
<H3><A HREF=3DDEF.HTM>Is it a virus, a worm, or a trojan? (Technical Disc=
ussion)</A></H3>

<H2>Removal</H2>

Steps marked optional are not absolutely necessary and are completely saf=
e
to skip. If you're not comfortable with DOS, get someone knowledgable to =
help you with this. These steps should be safe,
even under unexpected circumstances, but I can't make guarantees. Perform=
 these at your own risk.<P>


<OL>
<LI>Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", =
then click Yes.
It's important to exit Windows in order to be able to replace
the files that Windows normally has in use.
<LI>At the DOS prompt type this exactly and press enter at the end of eac=
h line:
<PRE>
CD \WINDOWS\SYSTEM
</PRE>
If that doesn't work, try
<PRE>
CD SYSTEM
</PRE>
<LI>Delete SKA.EXE and SKA.DLL by typing
<PRE>
DEL SKA.EXE
DEL SKA.DLL
</PRE>
If you get "File not found" you're either not infected or in the wrong
directory. Make sure you're in your Windows System directory; check to
see if you followed step 2 exactly.
<LI>Copy WSOCK32.SKA to WSOCK32.DLL by typing
<PRE>
COPY WSOCK32.SKA WSOCK32.DLL
</PRE>
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL. Explanation=
:
WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the virus. Yo=
u
are replacing the modified DLL with the original.
<LI><I>Optional</I> Delete WSOCK32.SKA by typing
<PRE>
DEL WSOCK32.SKA
</PRE>
You can leave WSOCK32.SKA on your system. It is a copy of your original W=
SOCK32.DLL
Do <B>not</B> delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL=
 with WSOCK32.SKA.
<LI>Return to Windows by typing
<PRE>
EXIT
</PRE>
<LI><I>Optional</I> Click Start, then Run, then type regedit in the text =
box, then click OK.
Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, th=
en
CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is th=
ere.
Press delete and then click Yes. Close Regedit. Don't change anything els=
e
without making a backup of the registry first. If you don't find SKA.EXE =
in
the registry, it doesn't mean you're not infected. SKA.EXE is only added =
to
the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run
it.
<IMG SRC=3DSKA2.GIF>
<LI><I>Optional</I> Choose Start, Programs, Accessories, Notepad, choose
File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name bo=
x.
Warn the people on the list, then delete LISTE.SKA.
Make it clear to the people you warn that they won't be infected
unless they ran happy99.exe, to avoid alarming them unnecessarily.
If you haven't sent out any infected e-mails, there won't be a LISTE.SKA.=

<LI><I>Optional</I> Delete the HAPPY99.EXE file. The location
of HAPPY99.EXE will vary depending on where you saved it. You
can delete it simply by dragging it to the Recycle Bin from within Window=
s or whatever method you prefer.
</OL>

<H3><A HREF=3DWSOCK.HTM>What if you have deleted WSOCK32.SKA before you r=
estored WSOCK32.DLL?</A></H3>

<a href=3Dmailto:stubbc@sk.sympatico.ca?subject=3DWin32/Ska>Click here if=
 you want to E-Mail me a question</A> or <a =

href=3Dmailto:stubbc@sk.sympatico.ca?subject=3DWin32/Ska_No_Reply_Request=
ed>here if you just have a comment.</A>
Please read this page carefully before e-mailing me a question. I don't
mind getting E-Mail, but I'm getting an unbelievable amount of e-mail on =
this
topic. If you're having trouble with the removal, make sure
you're following the steps exactly. The most common problem
is not following step 1, restarting in MS-DOS mode. Make sure you type th=
e instructions exactly including spaces and punctuation. You might want t=
o print out the removal instructions
so you have something to refer to. If you're having trouble with the DOS =
commands, get a local person to help you with them. It's hard to know exa=
ctly how you're typing the DOS commands and what your exact situation is =
over E-Mail.
<P>

You may copy or translate this information as long as you give
credit to the source. If you translate it, remove my e-mail address or ma=
ke it clear that I am only able to answer questions in english.<P>

<A HREF=3Dhttp://www.geocities.com/SiliconValley/Heights/3652/F.HTM>Virus=
 =

Page</A><BR>
<A HREF=3Dhttp://www.geocities.com>Geocities</A>
</BODY></HTML>

<!-- <SERVICE NAME=3D"watermark"> -->
<DIV CLASS=3D"GeoBrandingV2" ID=3D"GeoBrandingV2" STYLE=3D"position:absol=
ute;top:1;visibility:hide;" ALIGN=3D"right"><A HREF=3D"http://www.geociti=
es.com/?source=3Dwatermark&browser=3DNS" TARGET=3D"_top"><IMG SRC=3D"http=
://pic.geocities.com/images/watermark/v1/geocities.gif" ALT=3D"Click Here=
!" WIDTH=3D"107" HEIGHT=3D"41" BORDER=3D"0"></A></DIV>
<!-- </SERVICE> -->

--------------F2E610CB4B16AEA2EFC9791B--