[plug] Happy99, was LS-120 drives at UWA

Thu May 27 09:25:11 WST 1999

"Shackleton, Kevin" wrote:

> (this is a little off-topic as far as Linux is concerned)
>
> BTW, anyone got a good analysis of Happy99?
>
> I read that it (rather generously I thought) renamed the wsock32.dll and
> replaced it with its version that sends the phantom extra emails.  To remove
> Happy99 you only had to delete winsock32.dll and rename the original back.
> Unfortunately that didn't work.  This system I looked at had other issues
> too so I killed all Windows and re-installed, as one does in the world of
> the Evil Empire.
>
> My query here is not "how do you run Windows properly", which obviously you
> can't, but why would a virus make itself so easily removed?

This is some info from:

http://www.avertlabs.com/public/datafiles/valerts/vinfo/w32ska.asp

Hope it helps...

Mark

--------------------------------------------------------------------------------------------

W32/Ska (A.K.A. Happy99.exe)

W32/Ska is a worm that was first posted to several newsgroups and has been
reported to several of the AVERT Labs locations
worldwide. When this worm is run it displays a message "Happy New Year 1999!!"
and displays "fireworks" graphics. The posting
on the newsgroups has lead to its propagation. It can also spread on its own,
as it can attached itself to a mail message and be sent
unknowingly by a user. Because of this attribute it is also considered to be a
worm.

AVERT cautions all users who may receive the attachment via email to simply
delete the mail and the attachment. The worm
infects a system via email delivery and arrives as an attachment called
Happy99.EXE. It is sent unknowingly by a user. When the
program is run it deploys its payload displaying fireworks on the users
monitor.

Note: At this time no destructive payload has been discovered.

When the Happy.EXE is run it copies itself to Windows\System folder under the
name SKA.EXE. It then extracts, from within
itself, a DLL called SKA.DLL into the Windows\System folder if one does not
already exist.

Note: Though the SKA.EXE file file is a copy of the original it does not run as
the Happy.EXE files does, so it does not copy itself
again, nor does it display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the Windows\System
folder, if it does not exist and a the file
WSOCK32.DLL does exist, it copies the WSOCK32.DLL to WSOCK32.SKA.

The worm then creates the registry entry -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="Ska.exe"

- which will execute SKA.EXE the next time the system is restarted. When this
happens the worm patches WSOCK32.DLL and
adds hooks to the exported functions EnumProtocolsW and
WSAAsyncGetProtocolByName.

The patched code calls two exported functions in SKA.DLL called mail and news,
these functions allow the worm to attach itself to
SMTP e-mail and also to any postings to newsgroups the user makes.

AVERT has made detection for the worm available for all Network Associates
VirusScan products. Please chose from the link
below to download the product you need.

Click here for McAfee VirusScan 3 (hrlydats).

Click here for McAfee VirusScan 4 (current dat).

Click here for Dr Solomon's AVTK (extra driver).