Mailing List Archive

Mailing List: cavers

Banner Advert

Message Display

Date: Wed, 10 Feb 1999 16:29:04 -0500
To: cavers@cavers.com
From: Charles Ayash <cagraphics@mi*.co*>
Subject: Re: Virus from Skip MacElhannon
Was this "Happy 99" posted to cavers?
I did not recieve my copy, not that I would want it.
So I now have to ask if this indeed made it to the list.


At 12:22 PM 2/10/99 PST, you wrote:
>Here is the visus alret from MacAfee.
>
>Carl is skip another candidate for the dumpster???
>
>Scott
>------
>AVERT - A Division of NAI Labs
>Virus Name: W32/Ska (a.k.a. Happy99.exe)
>
>This page last updated 2/1/99
>
>
>W32/Ska is a worm that was first posted to several newsgroups and has 
>been reported to several of the AVERT
>Labs locations worldwide. When this worm is run it displays a message 
>"Happy New Year 1999!!" and displays
>"fireworks" graphics. The posting on the newsgroups has lead to its 
>propagation. It can also spread on its own, as it
>can attached itself to a mail message and be sent unknowingly by a user. 
>Because of this attribute it is also considered to be a worm.
>
>AVERT cautions all users who may receive the attachment via email to 
>simply delete the mail and the attachment. 
>
>The worm infects a system via email delivery and arrives as an 
>attachment called Happy99.EXE. It is sent
>unknowingly by a user. When the program is run it deploys its payload 
>displaying fireworks on the users monitor. 
>
>Note: At this time no destructive payload has been discovered.
>
>When the Happy.EXE is run it copies itself to Windows\System folder 
>under the name SKA.EXE. It then extracts,
>from within itself, a DLL called SKA.DLL into the Windows\System folder 
>if one does not already exist. 
>
>Note: Though the SKA.EXE file file is a copy of the original it does not 
>run as the Happy.EXE files does, so it does
>not copy itself again, nor does it display the fireworks on the users 
>monitor.
>
>The worm then checks for the existence of WSOCK32.SKA in the 
>Windows\System folder, if it does not exist and a
>the file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to 
>WSOCK32.SKA.
>
>The worm then creates the registry entry -
>
>              
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="S
ka.exe" 
>
>- which will execute SKA.EXE the next time the system is restarted. When 
>this happens the worm patches
>WSOCK32.DLL and adds hooks to the exported functions EnumProtocolsW and 
>WSAAsyncGetProtocolByName. 
>
>The patched code calls two exported functions in SKA.DLL called mail and 
>news, these functions allow the worm to
>attach itself to SMTP e-mail and also to any postings to newsgroups the 
>user makes.
>--
>Visit the Eco-Blue Divers Homepage at
>http://www.geocities.com/RainForest/Canopy/5449/index.html
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>

Navigate by Author: [Previous] [Next] [Author Search Index]
Navigate by Subject: [Previous] [Next] [Subject Search Index]

[Send Reply] [Send Message with New Topic]

[Search Selection] [Mailing List Home] [Home]