Happy Virus

[Joel Bresler <jbresler...>]

Chaverim,

FYI, here is some information on the Happy Virus, which was posted
originally on the 78 mailing list. I have not vetted it, and cannot answer
questions on it.

B'shalom,

Joel

------
>Fortunately, happy.exe is much more an annoyance than a danger to one's
>files.  happy.exe gets sent around as an attachment, then rewrites the
>victim's WINSOCK.DLL file.  From that point on, it spawns itself and
>floods email and usenet groups without its victim's knowledge.

Hmm. Didn't rewrite MY winsock.dll. Just checked and scanned OK with
McAfee's. Hasn't been modified since 8/24/96. It did pop up a little window
of very hypnotic multicolored fireworks!
-------
>If the worm is detected in your system you can easy get rid of it just by 
>deleting SKA.EXE and SKA.DLL files in the system Windows directory. You 
>also should delete the WSOCK32.DLL file and replace it with WSOCK32.SKA 
>original file. The original HAPPY99.EXE file should be also located and
>deleted. 
>
>To protect your computer from re-infection you need just to set Read-Only 
>attribute for the WSOCK32.DLL file. The worm does not pay attention to 
>Read-Only mode, and fails to patch the file. This trick was discovered by 
>Peter Szor at DataFellows http://www.datafellows.com The special AVP 
>update (HAPPY.AVC database) allows to stop worm spreading and protect 
>your computer from attach. It is distributed for free and is available on 
>the AVP Web sites on the world.
-----------
Here is a description of the Happy99 Worm (a.k.a. Win32/Ska.a) from AVP 
(http://www.avp.com):

The first modern Internet Worm discovered in-the-wild

This computer worm is a kind of virus programs that does not affect files 
to spread its copies, but just sends itself to the Internet as an attach 
in the e-mail messages. The worm had been posted by somebody (maybe by 
virus author) to several news servers, and on next day Kaspersky labs got 
the report that it was discovered In-The-Wild in Europe and continued 
spreading. We have no reports from USA and other countries yet. 

The worm arrives as an attachment in the e-mails as a HAPPY99.EXE file. 
Note:the affected sender does know that the worm appends attaches on 
sending. 

When an infected attachment is executed and gets control, the worm displays a 
funny firework in a program's window to hide its malicious nature. During 
that it installs itself into the system, hooks sendings to the Internet, 
converts its code to the attach and appends it to the messages. As a 
result the worm being installed into the system is able to spread its 
copies to all the address the messages are sent to. 

Removal and Protection 

If the worm is detected in your system you can easy get rid of it just by 
deleting SKA.EXE and SKA.DLL files in the system Windows directory. You 
also should delete the WSOCK32.DLL file and replace it with WSOCK32.SKA 
original file. The original HAPPY99.EXE file should be also located and
deleted. 

To protect your computer from re-infection you need just to set Read-Only 
attribute for the WSOCK32.DLL file. The worm does not pay attention to 
Read-Only mode, and fails to patch the file. This trick was discovered by 
Peter Szor at DataFellows http://www.datafellows.com The special AVP 
update (HAPPY.AVC database) allows to stop worm spreading and protect 
your computer from attach. It is distributed for free and is available on 
the AVP Web sites on the world. 

Easy to Remember 

Do not open and do not execute the HAPPY99.EXE file that you have 
received as an attach in any message ever if you get it from trusted 
source. You should also remember: the files that you have got from the 
Internet can contain malicious code that may infect your computer, 
destroy the data, send confidential files to the Internet, or install spy
programs to monitor your computer from remote host. 

Opening MS Office files with disabled Virus Protection and executing not 
trusted executable files is extremely risky. You should remember about 
that each time you see an attach in incoming message. 

Technical Details 

While installing the worm copies itself to the Windows system directory 
with the SKA.EXE name and drops the additional SKA.DLL file in the same 
directory. The worm then copies the WSOCK32.DLL with the WSOCK32.SKA name 
(makes a "backup") and patches the WSOCK32.DLL file. 

If the WSOCK32.DLL is in use and cannot be opened for writing, the worm 
creates a new key in the system registry to run its dropper on next 
rebooting: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.
EXE 
The WSOCK32.DLL patch consists of a worm initialization routine and two 
redirected exports. The initialization routine is just a small piece of 
worm code - just 202 bytes. It is saved to the end of WSOCK32.DLL code 
section (".text" section). The WSOCK32.DLL has enough of space for that, 
and the size of WSOCK32.DLL does not increased during infection. 
Then the worm patches the WSOCK32.DLL export tables so that two functions 

("connect" and "send") will point to the worm initialization routine at 
the end of WSOCK32.DLL code section. 

When a user is connecting to the Internet the WSOCK32.DLL is activated, 
and the worm hooks two events: connection and data sending. The worm 
monitors the nntp and email ports (25 and 119). When it detects 
connection by one of these ports, it loads its SKA.DLL library that has 
two exports: "mail" and "news". Depending on the port number the worm 
calls one of these routines, but both of them create a new message, 
insert UUencoded worm HAPPY99.EXE dropper into it, and send to the 
Internet address.


Joel Bresler
250 E. Emerson Rd.
Lexington, MA 02420 USA

Home:   781-862-2432
Home Office:    781-862-4104
FAX:            781-862-0498
Cell:           781-622-0309
Email:          jbresler (at) ultra(dot)net

---------------------- jewish-music (at) shamash(dot)org ---------------------+