Vanagon EuroVan
Previous messageNext messagePrevious in topicNext in topicPrevious by same authorNext by same authorPrevious page (February 1999, week 1)Back to main VANAGON pageJoin or leave VANAGON (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Sun, 7 Feb 1999 22:33:29 -0800
Reply-To:     Doug Jones <duge4wd@EMAIL.MSN.COM>
Sender:       Vanagon Mailing List <vanagon@gerry.vanagon.com>
From:         Doug Jones <duge4wd@EMAIL.MSN.COM>
Subject:      Email attachments
Comments: To: fourwhldrv@hotmail.com

I'll make this short and sweet. I have become aware of an email virus that
is very real (this is no hoax). It is relatively harmless except that it
spreads itself very quickly by attaching to all the new emails you send. IF
you get an attachment called HAPPY99.EXE    DELETE IT, DO NOT OPEN IT
It will replace your winsock file, and then attach itself to every email you
send, thus it spreads. It does nothing else other than that to my knowledge.
It is more of a problem on large network servers. The person who sent it to
you probably has no idea it came along for the ride. The instructions for
removal are below.


Sorry to bother you with this; but, it helps eliminate part of the problem.


Doug Jones




I-Worm.Happy


This is the first known modern Internet Worm discovered in-the-wild. This
computer worm is a kind of virus program that to spread its copies does not
affect disk files as main target, but replicates its copies by sending
itself to the Internet as an attachment in the e-mail messages. The worm
had been posted by somebody (maybe by worm author) to several news servers
in January 1999, and then in few days it was discovered In-The-Wild in
Europe and continued spreading.


The worm arrives as an attachment in the e-mails as a HAPPY99.EXE file.
When an infected attachment is executed and gets control, the worm displays
a funny firework in a program's window to hide its malicious nature. During
that, it installs itself into the system, hooks sendings to the Internet,
converts its code to the attachment and appends it to the messages. As a
result the worm, when it is installed into the system, is able to spread
its copies to all the address the messages are sent to.


While installing the worm affects files in the Windows system directory
only. It creates the SKA.EXE and SKA.DLL files in there, copies the
WSOCK32.DLL to newly created WSOCK32.SKA and patches the original
WSOCK32.DLL file to hook email sending calls.




Removal and Protection
----------------------
If the worm is detected in your system you can easy get rid of it just by
deleting SKA.EXE and SKA.DLL files in the system Windows directory. You
also should delete the WSOCK32.DLL file and replace it with the WSOCK32.SKA
original file. The original HAPPY99.EXE file should be also located and
deleted.


To protect your computer from re-infection you need just to set Read-Only
attribute for the WSOCK32.DLL file. The worm does not pay attention to
Read-Only mode, and fails to patch the file. This trick was discovered by
Peter Szor at DataFellows (http://www.datafellows.com).
Back to: Top of message | Previous page | Main VANAGON page

Please note - During the past 17 years of operation, several gigabytes of Vanagon mail messages have been archived. Searching the entire collection will take up to five minutes to complete. Please be patient!

Return to the archives @ gerry.vanagon.com

The vanagon mailing list archives are copyright (c) 1994-2011, and may not be reproduced without the express written permission of the list administrators. Posting messages to this mailing list grants a license to the mailing list administrators to reproduce the message in a compilation, either printed or electronic. All compilations will be not-for-profit, with any excess proceeds going to the Vanagon mailing list.

Any profits from list compilations go exclusively towards the management and operation of the Vanagon mailing list and vanagon mailing list web site.