Mail Archive sponsored by
Chazzanut Online
jewish-music
Happy Virus
- From: Joel Bresler <jbresler...>
- Subject: Happy Virus
- Date: Sun 14 Feb 1999 15.21 (GMT)
Chaverim,
FYI, here is some information on the Happy Virus, which was posted
originally on the 78 mailing list. I have not vetted it, and cannot answer
questions on it.
B'shalom,
Joel
------
>Fortunately, happy.exe is much more an annoyance than a danger to one's
>files. happy.exe gets sent around as an attachment, then rewrites the
>victim's WINSOCK.DLL file. From that point on, it spawns itself and
>floods email and usenet groups without its victim's knowledge.
Hmm. Didn't rewrite MY winsock.dll. Just checked and scanned OK with
McAfee's. Hasn't been modified since 8/24/96. It did pop up a little window
of very hypnotic multicolored fireworks!
-------
>If the worm is detected in your system you can easy get rid of it just by
>deleting SKA.EXE and SKA.DLL files in the system Windows directory. You
>also should delete the WSOCK32.DLL file and replace it with WSOCK32.SKA
>original file. The original HAPPY99.EXE file should be also located and
>deleted.
>
>To protect your computer from re-infection you need just to set Read-Only
>attribute for the WSOCK32.DLL file. The worm does not pay attention to
>Read-Only mode, and fails to patch the file. This trick was discovered by
>Peter Szor at DataFellows http://www.datafellows.com The special AVP
>update (HAPPY.AVC database) allows to stop worm spreading and protect
>your computer from attach. It is distributed for free and is available on
>the AVP Web sites on the world.
-----------
Here is a description of the Happy99 Worm (a.k.a. Win32/Ska.a) from AVP
(http://www.avp.com):
The first modern Internet Worm discovered in-the-wild
This computer worm is a kind of virus programs that does not affect files
to spread its copies, but just sends itself to the Internet as an attach
in the e-mail messages. The worm had been posted by somebody (maybe by
virus author) to several news servers, and on next day Kaspersky labs got
the report that it was discovered In-The-Wild in Europe and continued
spreading. We have no reports from USA and other countries yet.
The worm arrives as an attachment in the e-mails as a HAPPY99.EXE file.
Note:the affected sender does know that the worm appends attaches on
sending.
When an infected attachment is executed and gets control, the worm displays a
funny firework in a program's window to hide its malicious nature. During
that it installs itself into the system, hooks sendings to the Internet,
converts its code to the attach and appends it to the messages. As a
result the worm being installed into the system is able to spread its
copies to all the address the messages are sent to.
Removal and Protection
If the worm is detected in your system you can easy get rid of it just by
deleting SKA.EXE and SKA.DLL files in the system Windows directory. You
also should delete the WSOCK32.DLL file and replace it with WSOCK32.SKA
original file. The original HAPPY99.EXE file should be also located and
deleted.
To protect your computer from re-infection you need just to set Read-Only
attribute for the WSOCK32.DLL file. The worm does not pay attention to
Read-Only mode, and fails to patch the file. This trick was discovered by
Peter Szor at DataFellows http://www.datafellows.com The special AVP
update (HAPPY.AVC database) allows to stop worm spreading and protect
your computer from attach. It is distributed for free and is available on
the AVP Web sites on the world.
Easy to Remember
Do not open and do not execute the HAPPY99.EXE file that you have
received as an attach in any message ever if you get it from trusted
source. You should also remember: the files that you have got from the
Internet can contain malicious code that may infect your computer,
destroy the data, send confidential files to the Internet, or install spy
programs to monitor your computer from remote host.
Opening MS Office files with disabled Virus Protection and executing not
trusted executable files is extremely risky. You should remember about
that each time you see an attach in incoming message.
Technical Details
While installing the worm copies itself to the Windows system directory
with the SKA.EXE name and drops the additional SKA.DLL file in the same
directory. The worm then copies the WSOCK32.DLL with the WSOCK32.SKA name
(makes a "backup") and patches the WSOCK32.DLL file.
If the WSOCK32.DLL is in use and cannot be opened for writing, the worm
creates a new key in the system registry to run its dropper on next
rebooting:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.
EXE
The WSOCK32.DLL patch consists of a worm initialization routine and two
redirected exports. The initialization routine is just a small piece of
worm code - just 202 bytes. It is saved to the end of WSOCK32.DLL code
section (".text" section). The WSOCK32.DLL has enough of space for that,
and the size of WSOCK32.DLL does not increased during infection.
Then the worm patches the WSOCK32.DLL export tables so that two functions
("connect" and "send") will point to the worm initialization routine at
the end of WSOCK32.DLL code section.
When a user is connecting to the Internet the WSOCK32.DLL is activated,
and the worm hooks two events: connection and data sending. The worm
monitors the nntp and email ports (25 and 119). When it detects
connection by one of these ports, it loads its SKA.DLL library that has
two exports: "mail" and "news". Depending on the port number the worm
calls one of these routines, but both of them create a new message,
insert UUencoded worm HAPPY99.EXE dropper into it, and send to the
Internet address.
Joel Bresler
250 E. Emerson Rd.
Lexington, MA 02420 USA
Home: 781-862-2432
Home Office: 781-862-4104
FAX: 781-862-0498
Cell: 781-622-0309
Email: jbresler (at) ultra(dot)net
---------------------- jewish-music (at) shamash(dot)org ---------------------+
- Happy Virus,
Joel Bresler