CHOMSKY Members:

The message sent by Luis Carneiro <[log in to unmask]>

Luis Alberto Carneiro
Behavioural (Neuro)Endocrinology of Teleost Fishes
Unidade de investigacao em Eco-Etologia
ISPA
Rua Jardim do Tabaco, 34
1149 - 041 Lisboa
PORTUGAL

Contains the HAPPY99.EXE WORM (virus)

Delete the MESSAGE from your system.

Happy99 is NOT a virus, it is a worm, also know as W32/Ska. One important
reason to realize this is to also realize that the people sending it to
your list are probably not doing so intentionally, but have infected
computers themselves.

This is from AVERT - A Division of NAI Labs. See full info at
<http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.htm>

W32/Ska is a worm that was first posted to several newsgroups
 and has been reported to several of the AVERT Labs locations
 worldwide. When this worm is run it displays a message "Happy
 New Year 1999!!" and displays "fireworks" graphics. The posting on
 the newsgroups has lead to its propagation. It can also spread on
 its own, as it can attached itself to a mail message and be sent
 unknowingly by a user. Because of this attribute it is also
 considered to be a worm.

 AVERT cautions all users who may receive the attachment
 via email to simply delete the mail and the attachment.

 The worm infects a system via email delivery and arrives as an
 attachment called Happy99.EXE. It is sent unknowingly by a user.
 When the program is run it deploys its payload displaying fireworks
 on the users monitor

 Note: At this time no destructive payload has been discovered.

 When the Happy.EXE is run it copies itself to Windows\System
 folder under the name SKA.EXE. It then extracts, from within
 itself, a DLL called SKA.DLL into the Windows\System folder if one
 does not already exist.

 Note: Though the SKA.EXE file file is a copy of the original it does
 not run as the Happy.EXE files does, so it does not copy itself
 again, nor does it display the fireworks on the users monitor.

 The worm then checks for the existence of WSOCK32.SKA in the
 Windows\System folder, if it does not exist and a the file
 WSOCK32.DLL does exist, it copies the WSOCK32.DLL to
 WSOCK32.SKA.

 The worm then creates the registry entry -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="Ska.exe"

 - which will execute SKA.EXE the next time the system is
 restarted. When this happens the worm patches WSOCK32.DLL
 and adds hooks to the exported functions EnumProtocolsW and
 WSAAsyncGetProtocolByName.

 The patched code calls two exported functions in SKA.DLL called
 mail and news, these functions allow the worm to attach itself to
 SMTP e-mail and also to any postings to newsgroups the user
 makes.

You will find the Happ99cleaner and several other anti-virus
freeware/shareware at:

<http://www.winfiles.com/apps/98/antivirus.html>

For more information see:

<http://www.symantec.com/avcenter/venc/data/happy99.worm.html>

This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New
Year 1999 !!" showing a firework display to disguise its other actions.

The program copies itself as SKA.EXE and extracts a DLL that it carries as
SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98.

The modification to WSOCK32.DLL allows the worm routine to be triggered
when a connect or send activity is detected. When such online activity
occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a
new email or a new article with UUENCODED HAPPY99.EXE inserted into the
email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.


Removing the worm manually:

1.delete WINDOWS\SYSTEM\SKA.EXE

2.delete WINDOWS\SYSTEM\SKA.DLL

3.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK

4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL

5.delete the downloaded file, usually named HAPPY99.EXE

Windows prevents you to do step #3 and #4 above if the machine is still
connected to the Internet. The file "windows\system\wsock32.dll" is used
whenever the machine is connected to Internet (i.e. through dial-up or LAN
connection).


If you are using dial-up connection (i.e. America Online), you need to do
the following:

1.terminate internet connection

2.delete WINDOWS\SYSTEM\SKA.EXE

3.delete WINDOWS\SYSTEM\SKA.DLL

4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK

5.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL

6.delete the downloaded file, usually named HAPPY99.EXE


If you are connected to Internet through LAN (i.e. in the office or cable
modem), you need to do the following:

1.From the Start menu, select shutdown-restart in MS DOS mode

2.type CD \windows\system when DOS prompt (C:\)appears

3.type RENAME WSOCK32.DLL WSOCK32.BAK

4.type RENAME WSOCK32.SKA WSOCK32.DLL

5.type DEL SKA.EXE

6.type DEL SKA.DLL


Full legal actions will be pursued against this person.

I am very sorry for the problems, but that is the type of world we are
living in.



F. Leon Wilson
CHOMSKY List Owner