Here is some information I got from a friend who was also apologizing
for sending along the bug. Fortunately, I hadn't had it to open the
file yet so it was destroyed before it could do any damage to my
machine.
<Begin quote>
There is a new virus that has been verified and identified by both
Norton (Symantec) and McAfee. It is being sent as an attachment thru
email. It is called Happy.exe.
We do not know where it started.
"We" are members of an online stationery mailing list that received this
file several days ago. It showed up on a members email as an
attachment. Those who
attempted to open it inadvertently allowed the virus to go to work. It
attaches itself through a series of files it creates and then allows
itself to automatically be resent
each time the user composes new email. Norton and McAfee have received
a copy of the virus to study, since neither programs picked it up as a
virus.
I am enclosing a copy of instructions sent to the mailing list on how to
ensure the virus is not resident on your system. Not knowing the
origin, it is possible you could
have received it from anywhere
Virus Alert!
The first modern Internet Worm discovered in-the-wild
This computer worm is a kind of virus programs that does not affect
files to spread its copies, but
just sends itself to the Internet as an attach in the e-mail messages.
The worm had been posted by
somebody (maybe by virus author) to several news servers, and on next
day Kaspersky labs got the
report that it was discovered In-The-Wild in Europe and continued
spreading. We have no reports
from USA and other countries yet.
The worm arrives as an attach in the e-mails as a HAPPY99.EXE file.
Note:the affected sender does
not know that the worm appends attaches on sending.
When an infected attach is executed and gets control, the worm displays
a funny firework in a
program's window to hide its malicious nature. During that it installs
itself into the system, hooks
sendings to the Internet, converts its code to the attach and appends
it to the messages. As a result
the worm being installed into the system is able to spread its copies
to all the address the
messages are sent to.
Removal and Protection
If the worm is detected in your system you can easy get rid of it just
by deleting SKA.EXE and
SKA.DLL files in the system Windows directory. You also should delete
the WSOCK32.SKA file
and replace it with WSOCK32.DLL original file. The original HAPPY99.EXE
file should be also
located and deleted.
To protect your computer from re-infection you need just to set
Read-Only attribute for the
WSOCK32.DLL file. The worm does not pay attention to Read-Only mode,
and fails to patch the file.
This trick was discovered by Peter Szor at DataFellows
http://www.datafellows.com
The special AVP update (HAPPY.AVC database) allows to stop worm
spreading and protect your
computer from attach. It is distributed for free and is available on
the AVP Web sites on the world.
Easy to Remember
Do not open and do not execute the HAPPY99.EXE file that you have
received as an attach in any
message ever if you get it from trusted source. You should also
remember: the files that you have
got from the Internet can contain malicious code that may infect your
computer, destroy the data,
send confidential files to the Internet, or install spy programs to
monitor your computer from remote
host.
Opening MS Office files with disabled VirusProtection and executing not
trusted executable files is
extremely risky. You should remember about that each time you see an
attach in incoming
message.
Technical Details
While installing the worm copies itself to the Windows system directory
with the SKA.EXE name
and drops the additional SKA.DLL file in the same directory. The worm
then copies the
WSOCK95.DLL with the WSOCK95.SKA name (makes a "backup") and patches
the
WSOCK95.DLL file.
If the WSOCK32.DLL is in use and cannot be opened for writing, the worm
creates a new key in the
system registry to run its dropper on next rebooting:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The WSOCK32.DLL patch consists of a worm initialization routine and two
redirected exports. The
initialization routine is just a small piece of worm code - just 202
bytes. It is saved to the end of
WSOCK32.DLL code section (".text" section). The WSOCK95.DLL has enough
of space for that,
and the size of WSOCK32.DLL does not increased during infection.
Then the worm patches the WSOCK32.DLL export tables so that two
functions ("connect" and
"send") will point to the worm initialization routine at the end of
WSOCK32.DLL code section.
When a user is connecting to the Internet the WSOCK32.DLL is activated,
and the worm hooks two
events: connection and data sending. The worm monitors the nntp and
email ports (25 and 119).
When it detects connection by one of these ports, it loads its SKA.DLL
library that has two exports:
"mail" and "news". Depending on the port number the worm calls one of
these routines, but both of
them create a new message, insert UUencoded worm HAPPY99.EXE dropper
into it, and send to
the Internet address. End Quote
Again, the file that attaches is called Happy.exe. If you receive this
as an attachment, automatically delete the entire message, complete the
steps above and then
update your antivirus files. As soon as Norton and McAfee dissect the
virus they will update their antivirus files for download.
You may forward this message, as we do not know how many folks may be
receiving this attachment and sending it along inadvertently.
|
