Happy99.exe virus Warning

-----Original Message-----
From: Terry Mitchell <mitchell@mitchell.demon.nl
Newsgroups: alt.windows98
Date: March 6, 1999 12:29 PM
Subject: Happy99.exe virus Warning

Dear readers,,

W32/Ska is a worm that was first posted to several
newsgroups and has been reported to several of Avert Labs
locations worldwide. When this worm is run it displays a
message "Happy New Year 1999"and displays fireworks
graphics. The posting on the newsgroups has lead to its
propagation. It can spread on its own, as it can attached
itself to a mail message and be sent unknowingly by a user.
Because of this attribute it also considered to be a worm.

Avert cautions all users who may receive the attachment via
e-mail to simply delete the mail and the attachment. The
worm infects a system via e-mail delivery and arrives as an
attachment called Happ99.exe. It is sent unknowingly by a
user. When the program is run it deploys its payload
displaying fireworks on the users monitor.

Note : At this time no destructive payload has been
discovered.

When the Happy.exe is run it copies itself to Windows\System

folder under the name SKA.EXE. It then extracts, from within

itself, a DLL called SKA.DLL into the Windows\System folder
if one doesnot already exist.

Note : Though the SKA.EXE file file is a copy of the
original it does not run as the Happy.EXE files does it does

not copy itself again, nor does it display the fireworks on
the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the

Windows\System folder, if it does exist and a the file
WSOCK32.DLL does exist, it copies the WSOCK.DLL to
WSOCK32.SKA.

The worm then creates the registry entry :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="ska.exe

"Which will execute SKA.EXE the next time the system is
restarted. When this happens the worm patches WSOCK32.DLL
and adds hooks to the exported funtions EnumProtoclsW and
WSAAsyncGetProtocolByName.

The Patched code calls two exported funtions in SKA.DLL
called mail and news, thes funtions allow worm to attach
itself to SMTP e-mail and also to any Posting to newsgroups
the user makes.

For any up-dates for virus scanners (McAfee, Dr Solomon) you

can go to this website :

http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.asp

Greetings from Terry Mitchell (Amsterdam)