[Table of Contents] [Search]


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Happy99 -- how do you know you have it? (was RE: guillotine info wanted)



The following is all the info posted about the SKA Virus including its
removal this info comes from the
www.GeoCities.com/SiliconValley/Heights/3652/SKA.HTM

It will create two files in the Windows System folder, SKA.EXE and SKA.DLL.
SKA.EXE will be a copy of HAPPY99.EXE. It will copy the original WSOCK32.DLL
to WSOCK32.SKA. Then it will modify WSOCK32.DLL without changing its size so
it will try to run SKA.DLL while posting to Usenet and sending E-Mail. The
SKA.DLL file will silently attach HAPPY99.EXE to a second copy of outgoing
newsgroup and e-mail messages with a barely noticable delay. This second
copy will have the same subject and recipient, but it will have an empty
body. The outgoing message will contain the header

X-Spanska: Yes
but this is normally not visible.
It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a
regular part of Windows that provides a connnection to the Internet. If it
is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce
section of the registry and WSOCK32.DLL will be modified next time the
computer starts. It will still create WSOCK32.SKA even if it is unable to
modify WSOCK32.DLL. This virus will keep a list of message recipients in the
file LISTE.SKA in the Windows System folder. It will try not to send the
Happy99.exe file twice to the same person.

This virus does not steal passwords, as some sources have reported. It does
not contain any payload other than the fireworks display. However, it could
overload an e-mail server if a lot of copies get passed around. Also, since
it gets passed along a lot, a different virus could attach to HAPPY99.EXE
somewhere along the way. Without SKA.DLL and SKA.EXE, the modified
WSOCK32.DLL cannot perform any viral action. However using a modified
WSOCK32.DLL could cause problems while on the Internet. The most common
problem that has been reported is invalid page faults, but these can have
other causes. Restoring the original WSOCK32.DLL will correct these
problems.

This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
However, someone using one of those could pass it along manually, for
example by forwarding the message. Under Windows NT it will create SKA.EXE,
SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or
modify WSOCK32.DLL. If you have NT, you don't have to follow the removal
steps; you can simply delete SKA.DLL and SKA.EXE from inside Windows NT if
you would like.

Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain any code to change the name. However, it would be simple for
a person to change it to anything they like.

It contains the encrypted text:

"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Spanska is the alias of a virus writer who has written several other
viruses.
Is it a virus, a worm, or a trojan? (Technical Discussion)
Removal
Steps marked optional are not absolutely necessary and are completely safe
to skip. If you're not comfortable with DOS, get someone knowledgable to
help you with this. These steps should be safe, even under unexpected
circumstances, but I can't make guarantees. Perform these at your own risk.
If you have Windows NT, you don't have to follow the removal steps.

Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then
click Yes. It's important to exit Windows in order to be able to replace the
file WSOCK32.DLL which Windows normally has in use.
At the DOS prompt type this exactly and press enter at the end of each line:
CD \WINDOWS\SYSTEM
If that doesn't work, try
CD SYSTEM
Delete SKA.EXE and SKA.DLL by typing
DEL SKA.EXE
DEL SKA.DLL
If you get "File not found" you're either not infected or in the wrong
directory. Make sure you're in your Windows System directory; check to see
if you followed step 2 exactly.
Copy WSOCK32.SKA to WSOCK32.DLL by typing
ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL. Explanation:
WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the
modified DLL with the original. If you get a "Sharing violation" make sure
you followed step 1.
Optional Delete WSOCK32.SKA by typing
DEL WSOCK32.SKA
You can leave WSOCK32.SKA on your system. It is a copy of your original
WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace
WSOCK32.DLL with WSOCK32.SKA.
Return to Windows by typing
EXIT
Optional Click Start, then Run, then type regedit in the text box, then
click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then
Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it
if it is there. Press delete and then click Yes. Close Regedit. Don't change
anything else without making a backup of the registry first. If you don't
find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE
is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL
when you run it. Also, you'll only find it in the registry if you haven't
rebooted since you ran HAPPY99.EXE.
Optional Choose Start, Programs, Accessories, Notepad, choose File, then
Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the
people on the list, then delete LISTE.SKA. Make it clear to the people you
warn that they won't be infected unless they ran happy99.exe, to avoid
alarming them unnecessarily. If you haven't sent out any infected e-mails,
there won't be a LISTE.SKA.
Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary
depending on where you saved it. You can delete it simply by dragging it to
the Recycle Bin from within Windows or whatever method you prefer. You may
still have some messages with HAPPY99.EXE attached in your mailbox. These
cannot do anything unless you run them. You can delete them if you want to
or just ignore them.
Optional If you aren't sure whether WSOCK32.DLL is infected, choose Start,
then Find, then "Files or Folders". Then type WSOCK32.DLL in the "Named"
box. In the "Look in" box choose drive C: or whatever drive you have Windows
on. In the "Containing Text" box type "ska.dll" without the quotes. Then
click "Find Now". If you don't find any files, that means that wsock32.dll
isn't the modified version. If you don't have the modified WSOCK32.DLL, the
virus has no way to attach to e-mails, even if you have SKA.EXE, SKA.DLL,
and WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the
RunOnce registry section, and you haven't deleted SKA.EXE, then the virus
will try to modify WSOCK32.DLL the next time you restart the computer.
What if you have deleted WSOCK32.SKA before you restored WSOCK32.DLL?
Click here if you want to E-Mail me a question or here if you just have a
comment. Please read this page carefully before e-mailing me a question. I
don't mind getting E-Mail, but I'm getting an unbelievable amount of e-mail
on this topic. If you're having trouble with the removal, make sure you're
following the steps exactly. Make sure you type the instructions exactly
including spaces and punctuation. You might want to print out the removal
instructions so you have something to refer to. If you're having trouble
with the DOS commands, get a local person to help you with them. It's hard
to know exactly how you're typing the DOS commands and what your exact
situation is over E-Mail.
You may copy this information as long as you give credit to the source.


[Subject index] [Index for current month] [Table of Contents] [Search]