Surprise! A legitimate e-mail virus alert

Subject: Surprise! A legitimate e-mail virus alert
From: "Howard, Kathryn" <Kathryn -dot- Howard -at- WESTGROUP -dot- COM>
Date: Tue, 16 Feb 1999 11:04:42 -0600

Sent: Tuesday, February 16, 1999 9:41 AM
To: Product Systems
Subject: Surprise! A legitimate e-mail virus alert

I recently received, via an e-mail listserver, an e-mail with an attachment
called happy99.exe.  I didn't open the attachment.  Lucky me.

The happy99.exe virus is a self-replicating e-mail virus.  When you run it,
you apparently get a lovely fireworks display.  Once run, however,
happy99.exe replaces your WINSOCK.DLL with code that will attach the
happy99.exe executable to every outgoing e-mail, and also apparently does
other sneaky things without your knowledge (newsgroup postings, etc.).  It
also generates heavy network traffic, possibly crashing net servers.

The virus is apparently widespread in Europe, and starting to make its
presence felt here.

If you receive an e-mail with an attachment called happy99.exe, don't open
the attachment.  If you've already done so, you might check out
<> for
self-treatment instructions. 

From the SKA.HTM page:

Ska Virus


This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. You cannot get infected
with this virus just by reading a newsgroup or e-mail message. You have to
execute the attachment. If you execute
an infected attachment, it will display a firework display.

It will create two files in the Windows System folder, SKA.EXE and SKA.DLL.
SKA.EXE will be a copy of
HAPPY99.EXE. It will make a backup of WSOCK32.DLL under the name of
WSOCK32.SKA. Then it will modify
WSOCK32.DLL so it will try to access SKA.DLL under certain circumstances. It
does not modify any other file besides
WSOCK32.DLL. WSOCK32.DLL is a regular part of Windows that provides a
connnection to the Internet. If it is unable to
modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the
registry and WSOCK32.DLL will be
modified next time the computer starts. The modified WSOCK32.DLL will attach
HAPPY99.EXE to a second copy of
outgoing newsgroup and e-mail messages. This second copy will have the same
subject and recipient, but it will have an empty
body. This virus will keep a list of message recipients in the file
LISTE.SKA in the Windows System folder.

In my tests(sending an e-mail to myself:) this virus attached itself to a
second copy of the e-mail message, with no problems
and a barely noticeable delay. The outgoing message contains the header

X-Spanska: Yes

but this is normally not visible.

This virus does not steal passwords, as some sources have reported. It does
not contain any payload other than the fireworks
display. However, it could overload an e-mail server if a lot of copies get
passed around. Also, since it gets passed along a lot,
a different virus could attach to HAPPY99.EXE somewhere along the way.
Without SKA.DLL and SKA.EXE, the modified
WSOCK32.DLL cannot perform any viral action. However using a modified
WSOCK32.DLL could cause problems while
on the Internet. Restoring the original WSOCK32.DLL will correct these

This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
However, someone using one of those could
pass it along manually, for example by forwarding the message. I don't have
a Windows NT machine to test it on, but I have
reports that it will create SKA.EXE and SKA.DLL, but will fail to add itself
to the registry or modify WSOCK32.DLL.

Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain any code to change the name.
However, it would be simple for a person to change it to anything they like.


From ??? -at- ??? Sun Jan 00 00:00:00 0000

Previous by Author: Re: Research Triangle Park, NC area - What Land of Milk and Honey ??!?
Next by Author: Re: Re[2]: HTML and CSS
Previous by Thread: Job openings, Mt. View California
Next by Thread: Surprise! A legitimate e-mail virus victim

What this post helpful? Share it with friends and colleagues:

Sponsored Ads