Date: Sun, 7 Feb 1999 22:33:29 -0800
Reply-To: Doug Jones <duge4wd@EMAIL.MSN.COM>
Sender: Vanagon Mailing List <vanagon@gerry.vanagon.com>
From: Doug Jones <duge4wd@EMAIL.MSN.COM>
Subject: Email attachments
I'll make this short and sweet. I have become aware of an email virus that
is very real (this is no hoax). It is relatively harmless except that it
spreads itself very quickly by attaching to all the new emails you send. IF
you get an attachment called HAPPY99.EXE DELETE IT, DO NOT OPEN IT
It will replace your winsock file, and then attach itself to every email you
send, thus it spreads. It does nothing else other than that to my knowledge.
It is more of a problem on large network servers. The person who sent it to
you probably has no idea it came along for the ride. The instructions for
removal are below.
Sorry to bother you with this; but, it helps eliminate part of the problem.
Doug Jones
I-Worm.Happy
This is the first known modern Internet Worm discovered in-the-wild. This
computer worm is a kind of virus program that to spread its copies does not
affect disk files as main target, but replicates its copies by sending
itself to the Internet as an attachment in the e-mail messages. The worm
had been posted by somebody (maybe by worm author) to several news servers
in January 1999, and then in few days it was discovered In-The-Wild in
Europe and continued spreading.
The worm arrives as an attachment in the e-mails as a HAPPY99.EXE file.
When an infected attachment is executed and gets control, the worm displays
a funny firework in a program's window to hide its malicious nature. During
that, it installs itself into the system, hooks sendings to the Internet,
converts its code to the attachment and appends it to the messages. As a
result the worm, when it is installed into the system, is able to spread
its copies to all the address the messages are sent to.
While installing the worm affects files in the Windows system directory
only. It creates the SKA.EXE and SKA.DLL files in there, copies the
WSOCK32.DLL to newly created WSOCK32.SKA and patches the original
WSOCK32.DLL file to hook email sending calls.
Removal and Protection
----------------------
If the worm is detected in your system you can easy get rid of it just by
deleting SKA.EXE and SKA.DLL files in the system Windows directory. You
also should delete the WSOCK32.DLL file and replace it with the WSOCK32.SKA
original file. The original HAPPY99.EXE file should be also located and
deleted.
To protect your computer from re-infection you need just to set Read-Only
attribute for the WSOCK32.DLL file. The worm does not pay attention to
Read-Only mode, and fails to patch the file. This trick was discovered by
Peter Szor at DataFellows (http://www.datafellows.com).