When getting rid of a virus should I just have it deleted or change it's name?
I'm not forsure what to do. It's the first time it ever scanned right. I had Ibm antivirus protector. It never showed anything. I downloaded the F-Prot 3.06c and it found three of them. They are
C:WINDOWS\SYSTEM\WSOCK32.DLL
Infection:W95/Ska.10000.worm
C:WINDOWS\SYSTEM\SKA.EXE
Infection: W95/Ska.10000.worm
C:WINDOWS\SYSTEM\SKA.DLL
Infection:W95/Ska.10000.worm

How do I go about getting rid of them.
Thanks again. Could this be why I keep having errors(many of them) and my cd-rom not work properly? I've asked questions on my cd-rom before. I've changed the bios setting from CD-ROM,A,C to A,C,SCSI or one other option was C: only. I'm not forsure if I should have the SCSI in there at all.
Thanks
Kim

as me being the virus king getter. I would not trust F-prot. I have it and it missed sometimes. and even the same with mcAfee. I now use norton 5.0 and have been fine so far. if you don't have anything except the ibm/f-prot. you can go here and try the free on-line scan. http://www.mcafee.com/centers/clinic/start.asp?oemid=&area=scannow
beleive me. I've had boot virus's before and lost whole harddrives. and also turn off the preview pane in your e-mail and than don't open any you don't understand or know. some time these things are time released to. so you never know.
Gene C.

restart in dos mode:

rename wsock32.dll to wsock32.old

rename wsock32.ska to wsock32.dll

delete ska.exe and ska.dll

this should successfully remove what you have. its called happy99

edit: after a successful reboot you can delete wsock32.old which will probably still show as infected in the scan.


[This message has been edited by golfcart (edited 01-29-2000).]

Virus Info Center
New Viruses
Recent Updates
Joke Programs
Trojans
White Papers
Hoaxes
Web Viruses



Profile

Name
W32/Ska

Aliases
Happy99, Happy99.exe, I-Worm.Happy, W32/Skanew

Variants
W32/Ska2K

Date Added
5/6/99

Information
Discovery Date: 1/27/99
Type: Virus
SubType: worm
Risk Assessment: High
Minimum DAT: 4012
Minimum Engine: 4.0.25


Characteristics
*Note this edition of the worm is only a minor variation of the original first identified in February 1999. This worm is detected with current DAT files. *

W32/Ska is a worm that was first posted to several newsgroups and has been reported to several of the AVERT Labs locations worldwide. When this worm is run it displays a message "Happy New Year 1999!!" and displays "fireworks" graphics. The posting on the newsgroups has lead to its propagation. It can also spread on its own, as it can attach itself to a mail message and be sent unknowingly by a user.

The file may be received by email with a size of 10,000 bytes. The worm if run will patch WSOCK32.DLL to promote distribution by email on the host system if the email application supports SMTP email communication. If the host supports this environment, emails when sent from the host will be followed by a second message with the worm either attached or included as MIME such as this:

>X-Spanska: Yes
>
>begin 644 Happy99.exe
>M35I0`
`(````$``\`__\``+@`````````0``:``````````````````` `````
>M``````````````````````$``+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R


AVERT cautions all users who may receive the attachment via email to simply delete the mail and the attachment. The worm infects a system via email delivery and arrives as an attachment called Happy99.EXE. It is sent unknowingly by a user. When the program is run it deploys its payload displaying fireworks on the users monitor.

When HAPPY99.EXE is run it copies itself to Windows\System folder under the name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL into the Windows\System folder if one does not already exist.

Note: Though the SKA.EXE file is a copy of the original it does not run as the HAPPY99.EXE files does, so it does not copy itself again, nor does it display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the Windows\System folder, if it does not exist and a the file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to WSOCK32.SKA as a backup copy.

The worm then creates the registry entry -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\ Ska.exe="Ska.exe"

- which will execute SKA.EXE the next time the system is restarted. When this happens the worm patches WSOCK32.DLL and adds hooks to the exported functions EnumProtocolsW and WSAAsyncGetProtocolByName.

The patched code calls two exported functions in SKA.DLL called mail and news, these functions allow the worm to attach itself to SMTP e-mail and also to any postings to newsgroups the user makes (NNTP).


Symptoms
Existence of the file HAPPY99.EXE, SKA.EXE, SKA.DLL and WSOCK32.SKA on the local system - modifications to the system registry as mentioned above - email mailings as mentioned above.


Method Of Infection
Running the executable will patch WSOCK32.DLL with two routines to assist spreading by distributing by SMTP/NNTP transfers.


Removal Instructions
Use specified engine and DAT files for detection. Removal requires manual operation: You will need to reboot to MS-DOS mode as WSOCK32.DLL cannot be changed under Windows. "SHUTDOWN | RESTART TO MSDOS MODE" and when at the command prompt, type in these instructions:

CD C:\WINDOWS\SYSTEM
REN WSOCK32.DLL WSOCK32.BAD
REN WSOCK32.SKA WSOCK32.DLL
DEL SKA.EXE
DEL SKA.DLL
COPY LISTE.SKA C:\


The above is sufficient to stop the worm from working. To restart Windows, type EXIT. Note that the file LISTE.SKA contains a listing of persons whom have received the HAPPY99.EXE file unsolicited from you. It would be good netiquette to inform them of this misdeed and forward them the


YOU SHOULD ASLO GO IN TO THE REG AND DELETE THE REG INTRY