SC - True Virus Alert
Michael F. Gunter
michael.gunter at fnc.fujitsu.com
Mon Mar 22 09:18:34 PST 1999
I just got sent a virus from the
Middlebridge this AM, and I wanted to warn you all in case it accidently
shows up here. The following is a letter from today's victim with all
particulars. In the meantime, don't open a happy.exe file attachment.
Phlip
Philippa Farrour
Caer Frig
Southeastern Ohio
When pompous people irk me with their regal attributes,
It pleases me to imagine how they'd look in bathing suits.
- -----Original Message-----
From: Maerten Wulfgar von Hillesheim <dhamann at uindy.edu>
To: Middlebridge <sca-middle at midrealm.org>
Date: Monday, March 22, 1999 11:23 AM
Subject: Re: Fw: [Mid] Pencoed Castle for sale
>To all on the Bridge;
>
>My humblest and sincere apologies to all. It was unknown to me that my
>computer was infected with the HAPPY99 virus. I believe that I have
cleaned
>my machine. I used the instructions from http://www.uconect.net/ska.html.
If
>a second message follows this please let me know as the virus is still in
my
>machine.
>
>Red in the face (though not entirely from embarrassment),
>
>Wulfgar
>
>Responses to the inadvertent email...
>
>> What in hell are you doing sending out a virus to the middlebridge? I'm
>> going to forward it to Dafydd, and let him deal with you.
>>
>
>and...
>
>>Attachment Converted: "D:\Eudora\ATTACH\Happy99.exe"
>
>Please see the following web site for instructions for removing this
>stupid
>trojan horse worm program from your system.
>
>http://www.fidnet.com/happy99.htm
>
>There are many other sites with these instructions, but this one is
>fairly
>complete.
>
>Good luck worm-hunting!
>
>and...
>
>A member of the Middlebridge has just sent out to us a program which my
>server,
>at www.sotainter.net has warned us about as being a virus. The mail is
>from:
>
>Maerten Wulfgar von Hillesheim, at:
>
>dhamann at uindy.edu
>
>and is the attachment to his second message this AM.
>
>Dafydd, please handle this.
>
>and...
>
>You have the happy99.exe virus. Do the following:
>
>HOW TO FIND OUT IF YOU ARE INFECTED
>
>If you aren't sure whether you are infected,
>Choose "Start", then "Find", then "Files or Folders".
>
>Then type WSOCK32.DLL in the "Named" box.
>
>Then type "ska.dll" (without the quotes) in "Containing Text" Box.
>
>Leave the "Look in" box as C: (or whatever drive you have Windows
>installed
>on).
>
>Then click "Find Now".
>
>If you don't find any files, that means you are not infected.
>
>
>WHAT DOES THE HAPPY99 VIRUS DO?
>
>It will create two files in the Windows System folder, SKA.EXE and
>SKA.DLL.
>SKA.EXE will be a copy of HAPPY99.EXE. It will copy the original
>WSOCK32.DLL
>to WSOCK32.SKA. Then it will modify WSOCK32.DLL without changing its
>size so
>it will try to run SKA.DLL while posting to Usenet and sending E-Mail.
>The
>SKA.DLL file will silently attach HAPPY99.EXE to a second copy of
>outgoing
>newsgroup and e-mail messages with a barely noticable delay. This second
>copy will have the same subject and recipient, but it will have an empty
>body. The outgoing message will contain the header
>
>X-Spanska: Yes
>but this is normally not visible.
>
>It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a
>regular part of Windows that provides a connnection to the Internet. If
>it
>is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce
>section of the registry and WSOCK32.DLL will be modified next time the
>computer starts. It will still create WSOCK32.SKA even if it is unable
>to
>modify WSOCK32.DLL. This virus will keep a list of message recipients in
>the
>file LISTE.SKA in the Windows System folder. It will try not to send the
>Happy99.exe file twice to the same person. The size of SKA.EXE (and
>HAPPY99.EXE) is 10,000 bytes. The size of SKA.DLL is 8,192 bytes.
>
>This virus does not steal passwords, as some sources have reported. It
>does
>not contain any payload other than the fireworks display. However, it
>could
>overload an e-mail server if a lot of copies get passed around. Also,
>since
>it gets passed along a lot, a different virus could attach to
>HAPPY99.EXE
>somewhere along the way. Without SKA.DLL and SKA.EXE, the modified
>WSOCK32.DLL cannot perform any viral action. However using a modified
>WSOCK32.DLL could cause problems while on the Internet. The most common
>problem that has been reported is invalid page faults, but these can
>have
>other causes. Restoring the original WSOCK32.DLL will correct these
>problems.
>
>This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
>However, someone using one of those could pass it along manually, for
>example by forwarding the message. Under Windows NT it will create
>SKA.EXE,
>SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or
>modify WSOCK32.DLL. If you have NT, you don't have to follow the removal
>steps; you can simply delete SKA.DLL and SKA.EXE from inside Windows NT
>if
>you would like. This virus is not able to infect WSOCK32.DLL if it has
>the
>read-only attribute. Setting the read-only attribute after being
>infected is
>useless. I caution you not to run HAPPY99.EXE even if WSOCK32.DLL is
>read-only. Since it has passed through so many computers, a different
>virus
>could attach to HAPPY99.EXE along the way.
>
>Some people have asked whether it is always called HAPPY99.EXE. This
>virus
>doesn't contain any code to change the name. However, it would be simple
>for
>a person to change it to anything they like.
>
>It contains the encrypted text:
>
>"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
>Spanska is the alias of a virus writer who has written several other
>viruses.
>
>Removal
>Steps marked optional are not absolutely necessary and are completely
>safe
>to skip. If you're not comfortable with DOS, get someone knowledgable to
>help you with this. These steps should be safe, even under unexpected
>circumstances, but I can't make guarantees. Perform these at your own
>risk.
>If you have Windows NT, you don't have to follow the removal steps.
>
>If your not sure whether you are infected or not, then perform step 10
>to
>check if you're clean.
>
>Click Start, then Shut Down, then "Restart Computer in MS-DOS mode",
>then
>click Yes. It's important to exit Windows in order to be able to replace
>the
>file WSOCK32.DLL which Windows normally has in use.
>At the DOS prompt type these commands exactly and press enter at the end
>of
>each line:
>CD \WINDOWS\SYSTEM
>If that doesn't work, try
>
>CD SYSTEM
>Delete SKA.EXE and SKA.DLL by typing
>DEL SKA.EXE
>DEL SKA.DLL
>If you get "File not found" you're either not infected or in the wrong
>directory. Make sure you're in your Windows System directory; check to
>see
>if you followed step 3 exactly.
>
>Copy WSOCK32.SKA to WSOCK32.DLL by typing
>ATTRIB -R WSOCK32.DLL
>COPY WSOCK32.SKA WSOCK32.DLL
>The ATTRIB command is just in case WSOCK32.DLL has been made read-only
>since
>the infection. Answer "Yes" if it asks if you want to overwrite
>WSOCK32.DLL.
>Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL. You
>are
>replacing the modified DLL with the original. If you get a "Sharing
>violation" make sure you followed step 1.
>
>Optional Delete WSOCK32.SKA by typing
>DEL WSOCK32.SKA
>You can leave WSOCK32.SKA on your system. It is a copy of your original
>WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace
>WSOCK32.DLL with WSOCK32.SKA.
>
>Return to Windows by typing
>EXIT
>
>
>
>From: Maerten Wulfgar von Hillesheim <dhamann at uindy.edu>
>+--+--+--+--+--+--+--+--+--+--+--+--+ to unsubscribe, send a message to
>`~-, ,-~`~-, ,-~`~-, ,-~`~-, ,-~` majordomo at midrealm.org with
>. | | | | | | | | 'unsubscribe sca-middle' as its
body.
>
- ------------- End Forwarded Message -------------
============================================================================
To be removed from the SCA-Cooks mailing list, please send a message to
Majordomo at Ansteorra.ORG with the message body of "unsubscribe SCA-Cooks".
============================================================================
More information about the Sca-cooks
mailing list