Was this "Happy 99" posted to cavers? I did not recieve my copy, not that I would want it. So I now have to ask if this indeed made it to the list. At 12:22 PM 2/10/99 PST, you wrote: >Here is the visus alret from MacAfee. > >Carl is skip another candidate for the dumpster??? > >Scott >------ >AVERT - A Division of NAI Labs >Virus Name: W32/Ska (a.k.a. Happy99.exe) > >This page last updated 2/1/99 > > >W32/Ska is a worm that was first posted to several newsgroups and has >been reported to several of the AVERT >Labs locations worldwide. When this worm is run it displays a message >"Happy New Year 1999!!" and displays >"fireworks" graphics. The posting on the newsgroups has lead to its >propagation. It can also spread on its own, as it >can attached itself to a mail message and be sent unknowingly by a user. >Because of this attribute it is also considered to be a worm. > >AVERT cautions all users who may receive the attachment via email to >simply delete the mail and the attachment. > >The worm infects a system via email delivery and arrives as an >attachment called Happy99.EXE. It is sent >unknowingly by a user. When the program is run it deploys its payload >displaying fireworks on the users monitor. > >Note: At this time no destructive payload has been discovered. > >When the Happy.EXE is run it copies itself to Windows\System folder >under the name SKA.EXE. It then extracts, >from within itself, a DLL called SKA.DLL into the Windows\System folder >if one does not already exist. > >Note: Though the SKA.EXE file file is a copy of the original it does not >run as the Happy.EXE files does, so it does >not copy itself again, nor does it display the fireworks on the users >monitor. > >The worm then checks for the existence of WSOCK32.SKA in the >Windows\System folder, if it does not exist and a >the file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to >WSOCK32.SKA. > >The worm then creates the registry entry - > > >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="S ka.exe" > >- which will execute SKA.EXE the next time the system is restarted. When >this happens the worm patches >WSOCK32.DLL and adds hooks to the exported functions EnumProtocolsW and >WSAAsyncGetProtocolByName. > >The patched code calls two exported functions in SKA.DLL called mail and >news, these functions allow the worm to >attach itself to SMTP e-mail and also to any postings to newsgroups the >user makes. >-- >Visit the Eco-Blue Divers Homepage at >http://www.geocities.com/RainForest/Canopy/5449/index.html >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com >
Navigate by Author:
[Previous]
[Next]
[Author Search Index]
Navigate by Subject:
[Previous]
[Next]
[Subject Search Index]
[Send Reply] [Send Message with New Topic]
[Search Selection] [Mailing List Home] [Home]