[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Virus



WhaleOilBeefHooked wrote:

> *snip*
>
> Sort of - happy99.exe is a trojan program, and it installs Back Orifice on
> your computer, allowing anyone else with BO to obtain access into your
> computer whilst you are connected to the net, without your knowledge. Once
> in, they can do all sorts of things, such as open and close your CD-ROM
> drawer, and other things to amuse themselves. They can also be destructive,
> and delete files (or copy files, including password files).
>

Wrong!

Happy99.exe, if you remember I had during Feb this year, is a WORM virus. It
duplicates itself, it duplicates your email and posts a copy of itself
(Happy99.exe) as an attachment for every email you send.

The description is as follows:

F-Secure Virus Information Pages


                     NAME:
                           Ska
                     ALIAS:
                           Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA,
Happy
                     SIZE:
                           10000


                    Win32/Ska.A is a Win32-based e-mail and newsgroup worm. It
displays fireworks when
                    executed first time as Happy99.exe. (Normally this file
arrives as an e-mail attachment
                    to a particular PC, or it is downloaded from a newsgroup.)

When the Happy99.exe file has been executed, every e-mail and newsgroup posting
                    sent from the machine will cause a second message to be
sent. This will contain the
                    same sender and recipient information but contains no text,
just the Happy99.exe file
                    itself as an attachment.

                    Since people will usually receive Happy99.exe from someone
they know (as you
                    normally get e-mail from someone you know), people tend to
trust this attachment, and
                    run it.

                    When executed first time, it creates SKA.EXE and SKA.DLL in
the system directory.
                    SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside
SKA.EXE. After this
                    Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the
system directory.
                    Then it tries to patch WSOCK32.DLL so that its export
entries for two functions will
                    point to new routines (to the worm's own functions) inside
the patched WSOCK32.DLL.
                    If WSOCK32.DLL is in use, Ska.A modifies the registry's
RunOnce entry to execute
                    SKA.EXE during next boot-up. (When executed as SKA.EXE it
does not display the
                    firework, just tries to patch WSOCK32.DLL until it is not
used.)

                    "Connect" and "Send" exports are patched in WSOCK32.DLL.
Thus the worm is able to
                    see if the local user has any activity on network. When
"Connect" or "Send" APIs are
                    called, Ska loads its SKA.DLL containing two exports: "news"
and "mail".

                    Then it spams itself to the same newsgroups or same e-mail
addresses where the user
                    was posting or mailing to. It maps SKA.EXE to memory and
converts it to uuencoded
                    format and mails an additional e-mail or newsgroup post with
the same header
                    information as the original message but containing no text
but just an attachment called
                    Happy99.exe.

                    Therefore Happy99 is not limited like the Win32/Parvo virus
which is unable to use a
                    particular news server when the user does not have access to
it. The worm also
                    maintains a list of addresses it has posted a copy of
itself. This is stored in a file called
                    LISTE.SKA. (The number of entries are limited in this file.)

                    The worm contains the following encrypted text which is not
displayed:

                            Is it a virus, a worm, a trojan?
                            MOUT-MOUT Hybrid (c) Spanska 1999.

                    The mail header of the manipulated mails will contain a new
field called "X-Spanska:
                    YES". Normally this header field is not visible to receivers
of the message.

                    Since the worm does not check WSOCK32.DLL's attribute, it
can not patch it if it is set
                    to read only.

                    Please note that after disinfection of this worm you will
have to rename WSOCK32.SKA
                    back to WSOCK32.DLL in \WINDOWS\SYSTEM folder to restore all
original Winsock
                    internet capabilities.

                    Happy99 does not replicated under Windows NT.

Go to here if you have problems:
http://www.datafellows.com/v-descs/ska.htm

30 day trial, but it gets rid of it for you :)

>
> > Suggest you all delete any mail you get from this source.  (BTW, I'd
> expect
> > a genuine Canadian to be in the .ca domain!)
>
> I never open any .exe file unless it is from a reliable source. Even then, I
> have my virus scanner to check it. Most anti-virus programs these days check
> for BO.
>
> btw, I am in Australia, and my email address is @umpires.com - so just
> because there is no country domain does not mean they are not in Canada. The
> lack of a country domain could be anywhere in the world, not necessarily in
> the United States (which has a rarely used .us)
>
> DaveP

--
Thanks,

Tony Gatt.

________________________________________________________

  Never be afraid to try something new.
  Remember, amateurs built the ark.
  Professionals built the Titanic.
________________________________________________________

Personal Website: http://homepages.tig.com.au/~baulko/
Railway Website:   http://www.railpage.org.au/railpix/
________________________________________________________