WARNING! - Happy99.exe - A WORM

[Isos]

I received an email from one of the readers of this bbs. At the same time, another email shows up from the same email address with an attached file - HAPPY99.EXE.

Please be aware that this is a trojan program that will replace your WSOCK32.DLL and will replicate itself by sending email without you knowing about it.

Article is found from Norton AntiVirus site
symantec.com/avcenter/venc/data/happy99.worm.html

If anyone received an email, be very cautious if there's an attached EXE file.

I replied to the email with a warning about the trojan and how to get rid of it.

[This message has been edited by Isos (edited 02-21-99).]

[CMonster]

Thanks for the tip.

[MrLuigi]

yeah I got it twice last month.
Doesn't do anything damaging but it is a potential and it is a pain in the ***. Heard it is all over the usenet. I first got it from a seller at e-bay! Then from d/l on usenet

[martyvh]

NAME: Win32/Ska.A
ALIAS: Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA
SIZE: 10000
Win32/Ska.A is a Win32-based e-mail and newsgroup worm. It displays fireworks when executed first time as Happy99.exe. (Normally this file arrives as an e-mail attachment to a particular PC, or it is downloaded from a newsgroup.)
When executed first time, it creates SKA.EXE and SKA.DLL in the system directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE. After this Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the system directory. Then it tries to patch WSOCK32.DLL so that its export entries for two functions will point to new routines (to the worm's own functions) inside the patched WSOCK32.DLL. If WSOCK32.DLL is in use, Ska.A modifies the registry's RunOnce entry to execute SKA.EXE during next boot-up. (When executed as SKA.EXE it does not display the firework, just tries to patch WSCOK32.DLL until it is not used.)

"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able to see if the local user has any activity on network. When "Connect" or "Send" APIs are called, Ska loads its SKA.DLL containing two exports: "news" and "mail".

Then it spams itself to the same newsgroups or same e-mail addresses where the user was posting or mailing to. It maps SKA.EXE to memory and converts it to uuencoded format and mails an additional e-mail or newsgroup post with the same header information as the original message but containing no text but just an attachment called Happy99.exe.

Therefore Happy99 is not limited like the Win32/Parvo virus which is unable to use a particular news server when the user does not have access to it. The worm also maintains a list of addresses it has posted a copy of itself. This is stored in a file called LISTE.SKA. (The number of entries are limited in this file.)

The worm contains the following encrytped text which is not displayed:


Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999.

The mail header of the manipulated mails will contain a new field called "X-Spanska: YES". Normally this header field is not visible to receivers of the message.
Since the worm does not check WSOCK32.DLL's attribute, it can not patch it if it is set to read only.

[Analysis: Peter Szor, Data Fellows]

I only hope you can pass this on to whom ever, I removed all files related to the above, and I believe and hope it's gone. I did not intend to damage a bbs that I in fact enjoy to read!! but now after this I may refrain from involing myself with your organization. I even ask about where I could donate to your efforts, but after this most likely not.

Thank you for your time

martyvh@asapnet.net

[LED]

For one free solution if you get the Virus...FTL http://www.nsclean.com/socklock.html

[This message has been edited by LED (edited 03-02-99).]

[Bud]

I got the same thing from a member of this BBS but I have made it a practice never open a zipped file from a E-Mail without scanning it first. I complained to his ISP but he is still posting on here.
You must have made him mad trying to help him with a screwy problem that he had and he did not like your answer.
Bud