| About Us |
| News |
| Alerts |
| Events |
| Services |
| Resources |
| Report Incidents |
| Incident Statistics |
| Security FAQS |
| Training |
| Vacancies |
| Links |
|
NISER > Alerts > MyCERT Advisories & Summaries > MA-004.021999: HAPPY99.exe Virus
MA-004.021999: HAPPY99.exe Virus Original Issue Date: 8th February 1999 1.0 DESCRIPTION 1.1 Overview HAPPY99.exe is a usual name for this virus or so-called worm because it can replicate on its own. Otherwise it is known as the W32/Ska or WSOCK32.SKA or SKA.EXE virus. As explained by NAI and DataFellows the virus has been distributed via email and newsgroup postings. When run displays a message "Happy New Year 1999!!" and displays "fireworks" graphics. It does not attempt to destroy files on infected machines, but it sends e-mails and newsgroup postings without the victims knowledge and could cause network slowdowns or even crash corporate e-mail servers. 1.2 Limitation The file HAPPY99.exe must be executed in order to initiate the virus. 2.0 TECHNICAL MATTERS 2.1 Installation When executed first time, it creates SKA.EXE and SKA.DLL in the system directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE. The virus then checks for the existance of WSOCK32.SKA in the Windows\System folder, if it does not exist and a file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to WSOCK32.SKA. The virus then creates the registry entry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="Ska.exe" which will execute SKA.EXE then next time the system is restarted. When executed as SKA.EXE it does not display the firework, just tries to patch WSCOK32.DLL until it is not used. 2.2 Functionality "Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able to see if the local user has any activity on network. When "Connect" or "Send" APIs are called, Ska loads its SKA.DLL containing two exports: "news" and "mail". Then it spams itself to the same newsgroups or same e-mail addresses where the user was posting or mailing to. It maps SKA.EXE to memory and converts it to UU encoded format and manipulates the mail buffer to contain this UU encoded attachment as HAPPY99.exe. The worm also maintains a list of addresses it has posted a copy of itself. This is stored in a file called LISTE.SKA ( The number of entries are limited in this file ). 3.0 POSSIBLE STEPS 3.1 Detection Detection is available for this virus from Network Associates and Symantec AntiVirus Research Center as listed below. If this virus has been found on your system, it is recommended that the WSOCK32.DLL file be replaced with the backup created during infection called WSOCK32.SKA, or get from a known clean system. Also, delete the files detected as infected. McAfee VirusScan 3: VirusScan 4, DSAV: Dr Solomon's AVTK: VirusScan 4: Norton AntiVirus 3.2 Reaction/Removal DataFellows provides solution for detection and removal of the HAPPY99.exe virus. Download the latest updater files from the site below: 4.0 MORE INFORMATION To obtain more information on this virus, please refer to the following site : 4.1 DataFellows : Computer Virus Information Pages Last Update April 19, 2001 |