[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RH5.2 / Make / Missing.
>From Symantec AV research center:
8-< ------------------------------------------------------------------------
This is a worm program, NOT a virus. This program has reportedly been received
through email
spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in
the email or
article attachment.
When being executed, the program also opens a window entitled "Happy New Year
1999 !!"
showing a firework display to disguise its other actions. The program copies
itself as
SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM
directory.
It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original
WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification
to
WSOCK32.DLL allows the worm routine to be triggered when a connect or send
activity is
detected. When such online activity occurs, the modified code loads the worm's
SKA.DLL. This
SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted
into
the email or article. It then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online),
the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows start.
8-<
------------------------------------------------------------------------------
Might be safe to assume it's not his fault...
Amos Shapira wrote:
>
> On Wed, March 3 1999, Hetz Ben Hamo <hetz@dream.co.il> wrote:
> |People, someone sent to us Happy99.exe and I read it's a virus.
> |
> |Ron - SCREW YOU!
>
> Hetz - once again you show you can be a real jurk, only this time an
> innocent user (espceially someone interested in Linux!) might get hurt
> because of you so I have to voice myself here.
>
> If you know this virus so well then you should know by now that it
> sends itself via e-mail without asking the user first (or at least
> without making this clear to the user - I never got around to be
> infected by it so I wouldn't know).
>
> |Anyone wants to handle this person?
>
> I suspect you and your dirty mouse are the ones to be handled this
> time.
>
> --Amos
>
-- Omer
|---------------------------------------------------------------------------|
| A bus station is where a bus stops. A train | Omer Efraim |
| station is where a train stops. On my desk I | omere@tc-iris.tau.ac.il |
| have work station... -Author Unknown | |
|---------------------------------------------------------------------------|