Fw: I'm Clean
CORALations
corals at caribe.net
Thu Mar 4 10:10:01 EST 1999
----------
>
> SORRY ABOUT HAPPY 99.....Did not know I had it or I was sending it...
> I followed these instructions to remove it....
> Thought I better not send it as an attachment!
> Mary Ann
>
> Read anything - execute NOTHING!! This is the key. If the file has
> (NAME OF FILE) .EXE . . .DO NOT CLICK ON IT -THIS IS A COMMAND FILE TO
> EXECUTE A PROGRAM.
> Here are the guts for Happy
> This virus is attached to newsgroup and e-mail messages as an
> attachment called Happy99.exe. You cannot get infected with this virus
> just by reading a newsgroup or e-mail message. You have to execute the
> attachment. Almost always, the person who sent it does not know that they
> are sending it out. It does not show up in their Outbox. If you didn't
> execute the attachment, you can just delete it and move on. If you
> execute an infected attachment, it will display a firework display. It
> will create two files in the Windows System folder, SKA.EXE and SKA.DLL.
> SKA.EXE will be a copy of HAPPY99.EXE. It will copy the original
> WSOCK32.DLL to WSOCK32.SKA. Then it will modify WSOCK32.DLL without
> changing its size so it will try to run SKA.DLL while posting to Usenet
> and sending E-Mail. The SKA.DLL file will silently attach HAPPY99.EXE to
> a second copy of outgoing newsgroup and e-mail messages with a barely
> noticable delay. This second copy will have the same subject and
> recipient, but it will have an empty body. The outgoing message will
> contain the header
> X-Spanska: Yes but this is normally not visible.
>
> It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a
> regular part of Windows that provides a connnection to the Internet.
> If it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the
> RunOnce section of the registry and WSOCK32.DLL will be modified next
> time the computer starts. It will still create WSOCK32.SKA even if it is
> unable to modify WSOCK32.DLL. This virus will keep a list of message
> recipients in the file LISTE.SKA in the Windows System folder.
> It will try not to send the Happy99.exe file twice to the same person.
>
> This virus does not steal passwords, as some sources have reported. It
> does not contain any payload other than the fireworks display. However,
> it could overload an e-mail server if a lot of copies get passed around.
> Also, since it gets passed along a lot, a different virus could attach
> to HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the
> modified WSOCK32.DLL cannot perform any viral action.
> However using a modified WSOCK32.DLL could cause problems while on the
> Internet. The most common problem that has been reported is invalid page
> faults, but these can have other causes. Restoring the original
> WSOCK32.DLL will correct these problems.
>
> This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or
> WebTV. However, someone using one of those could pass it along
> manually, for example by forwarding the message. Under Windows NT it will
> create SKA.EXE, SKA.DLL, and WSOCK32.SKA but will fail to add itself to
> the registry or modify WSOCK32.DLL. If you have NT, you don't have to
> follow the removal steps; you can simply delete SKA.DLL and SKA.EXE from
> inside Windows NT if you would like.
>
> Some people have asked whether it is always called HAPPY99.EXE. This
> virus doesn't contain any code to change the name. However, it would be
> simple for a person to change it to anything they like.
>
> It contains the encrypted text: "Is it a virus, a worm, a trojan?
> MOUT-MOUT Hybrid (c) Spanska 1999."
>
> Spanska is the alias of a virus writer who has written several other
> viruses.
>
> Removal ;
>
> Steps marked optional are not absolutely necessary and are completely
> safe to skip. If you're not comfortable with DOS, get someone
> knowledgable to help you with this. These steps should be safe, even
> under unexpected circumstances, but I can't make guarantees. Perform
> these at your own risk. If you have Windows NT, you don't have to follow
> the removal steps.
>
> 1.Click Start, then Shut Down, then "Restart Computer in MS-DOS
> mode", then click Yes. It's important to exit Windows in order to be
> able to replace the file WSOCK32.DLL which Windows normally has in
> use.
> 2.At the DOS prompt type this exactly and press enter at the end of
> each line:
> CD \WINDOWS\SYSTEM
>
> If that doesn't work, try
> CD SYSTEM
>
> 3.Delete SKA.EXE and SKA.DLL by typing
> DEL SKA.EXE
> DEL SKA.DLL
>
> If you get "File not found" you're either not infected or in the
> wrong directory. Make sure you're in your Windows System directory; check
> to see if you followed step 2 exactly.
>
> 4.Copy WSOCK32.SKA to WSOCK32.DLL by typing
> ATTRIB -R WSOCK32.DLL
> COPY WSOCK32.SKA WSOCK32.DLL
>
> Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
> Explanation: WSOCK32.SKA is a backup of the original
> WSOCK32.DLL. You are replacing the modified DLL with the
> original. If you get a "Sharing violation" make sure you followed
> step 1.
> 5.Optional Delete WSOCK32.SKA by typing
> DEL WSOCK32.SKA
> You can leave WSOCK32.SKA on your system. It is a copy of your
> original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to
> replace WSOCK32.DLL with WSOCK32.SKA.
>
> 6.Return to Windows by typing
> EXIT
>
> 7.Optional Click Start, then Run, then type regedit in the text box,
> then click OK. Click HKEY_LOCAL_MACHINE, then Software, then
> Microsoft, then Windows, then CurrentVersion. Under RunOnce check for
> SKA.EXE and select it if it is there. Press delete and then click Yes.
> Close Regedit. Don't change anything else without making a backup of the
> registry first. If you don't find SKA.EXE in the registry, it doesn't
> mean you're not infected. SKA.EXE is only added to the registry if
> HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also,
> you'll only find it in the registry if you haven't rebooted since you
> ran HAPPY99.EXE.
>
> ...Optional: Choose Start, Programs, Accessories, Notepad, choose File,
> then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box.
> Warn the people on the list, then delete LISTE.SKA. Make it clear to
> the people you warn that they won't be infected unless they ran
> happy99.exe, to avoid alarming them unnecessarily. If you haven't sent
> out any infected e-mails, there won't be a LISTE.SK A.
> 9.Optional Delete the HAPPY99.EXE file. The location of
> HAPPY99.EXE will vary depending on where you saved it. You can
> delete it simply by dragging it to the Recycle Bin from within
> Windows or whatever method you prefer. You may still have some
> messages with HAPPY99.EXE attached in your mailbox. These
> cannot do anything unless you run them. You can delete them if you
> want to or just ignore them.
> 10.Optional If you aren't sure whether WSOCK32.DLL is infected,
> choose Start, then Find, then "Files or Folders". Then type
> WSOCK32.DLL in the "Named" box. In the "Look in" box choose drive
> C: or whatever drive you have Windows on. In the "Containing Text" box
> type "ska.dll" without the quotes. Then click "Find Now". If you don't
> find any files, that means that wsock32.dll isn't the modified
> version. If you don't have the modified WSOCK32.DLL, the virus has no
> way to attach to e-mails, even if you have SKA.EXE, SKA.DLL and
> WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the
> RunOnce registry section, and you haven't deleted SKA.EXE, then the
> virus will try to modify WSOCK32.DLL the next time you restart the
> computer.
> ... If you're having trouble with the removal, make
> sure you're following the steps exactly. Make sure you type the
> instructions exactly including spaces and punctuation. You might ant to
> print out the removal instructions so you have something to refer to. If
> you're having trouble with the DOS commands, get a local person to help
> you with them.
>
>
>
> --------- End forwarded message ----------
>
>
More information about the Coral-list-old
mailing list