RV: Happy99 Virus

< < < Date > > > | < < < Thread > > >
RV: Happy99 Virus

by Silvia Almanza Marquez

08 April 1999 18:58 UTC

Dear Colleagues:
Please accept my apologies for have contaminated the Network with the
HAPPY99 virus yesterday. In fact, I was not aware that this horrible thing
was hidden in my PC. I feel very ashamed and I am deeply sorry for the
inconvenence I have caused,  involuntarily, to all of you.

To remove the “creature”, I have followed these  instructions and also
runned the Mcafe antivirus. It seems that everything here is again, in good
health. If you have another suggestions, please let me know.
      Best wishes,
               Silvia


-----Mensaje original-----
De: Peter Grimes <p34d3611@jhunix.hcf.jhu.edu>
Para: WORLD SYSTEMS NETWORK <wsn@csf.colorado.edu>
Fecha: Jueves 8 de Abril de 1999 2:04 AM
Asunto: Happy99 Virus


>
>Could you pass the following instructions for removal of the
>Happy99 virus to the entire list.
>
>
>Basically the original file HAPPY99.EXE was coded by a virus author known
>as "Spanska", formerly known for Spanska.4250 virus infecting PE type
>files.  The file was distributed onto newsgroup servers and other places.
>Users would run the file and unbeknownst to them, they would send out
>copies of the worm to anyone they sent email to. It only works if the user
>
>The way it works is this- HAPPY99.EXE is broken down into 2 files - SKA.EXE
>and SKA.DLL. When you run HAPPY99.EXE, it displays fireworks - more or less
>a distraction as it drops SKA.EXE and SKA.DLL onto the hard drive. It then
>makes a backup copy of the WSOCK32.DLL as WSOCK32.SKA. After this, it
>also newsgroup posting by NNTP protocol. By hooking these calls, SKA.EXE
>can send itself again as HAPPY99.EXE as an attachment to emails and
>posting to newsgroups.
>
>Also HAPPY99 (W32/Ska) keeps a log of emails sent to users in a file called
>"liste.ska".
>
>Removal is more or less a manual process:
>
> boot to ms-dos
>
> rename WSOCK32.DLL to WSOCK32.BAD
>
> rename WSOCK32.SKA to WSOCK32.DLL
>
> delete SKA.EXE, SKA.DLL, LISTE.SKA
>
> restart Windows
>
>A command line program is available to perform these actions for you. It is
>called RMSKA.EXE and is located at this URL-
>
><http://www.avertlabs.com/public/stand_alone>
>
>Copy the executable to the root of C: and the click START»RUN and type
>RMSKA.EXE
>
>This will run the remover, after which you will need to reboot your
>computer. This utility is designed for Windows 95/98 computers.
>
>With Regards,
>AVERT - A Division Of NAI Labs
>
>
< < < Date > > > | < < < Thread > > > | Home