 
| Subject: | |
| From: | |
| Reply To: | The philosophy, work & influences of Noam Chomsky |
| Date: | Wed, 3 Mar 1999 14:16:51 -0800 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Here's how to kill it off.
http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.asp
W32/Ska (A.K.A. Happy99.exe)
W32/Ska is a worm that was first posted to several newsgroups and has been
reported to several of the AVERT Labs locations worldwide. When this worm
is run it displays a message "Happy New Year 1999!!" and displays
"fireworks" graphics. The posting on the newsgroups has lead to its
propagation. It can
also spread on its own, as it can attached itself to a mail message and be
sent unknowingly by a user. Because of this attribute it is also considered
to be a
worm.
AVERT cautions all users who may receive the attachment via email to simply
delete the mail and the attachment. The worm infects a system via email
delivery
and arrives as an attachment called Happy99.EXE. It is sent unknowingly by
a user. When the program is run it deploys its payload displaying fireworks
on the
users monitor.
Note: At this time no destructive payload has been discovered.
When the Happy.EXE is run it copies itself to Windows\System folder under
the name SKA.EXE. It then extracts, from within itself, a DLL called
SKA.DLL into
the Windows\System folder if one does not already exist.
Note: Though the SKA.EXE file file is a copy of the original it does not
run as the Happy.EXE files does, so it does not copy itself again, nor does
it display the
fireworks on the users monitor.
The worm then checks for the existence of WSOCK32.SKA in the Windows\System
folder, if it does not exist and a the file WSOCK32.DLL does exist, it
copies the WSOCK32.DLL to WSOCK32.SKA.
The worm then creates the registry entry -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe
="Ska.exe"
- which will execute SKA.EXE the next time the system is restarted. When
this happens the worm patches WSOCK32.DLL and adds hooks to the exported
functions EnumProtocolsW and WSAAsyncGetProtocolByName.
The patched code calls two exported functions in SKA.DLL called mail and
news, these functions allow the worm to attach itself to SMTP e-mail and
also to
any postings to newsgroups the user makes.
AVERT has made detection for the worm available for all Network Associates
VirusScan products. Please chose from the link below to download the product
you need.
<p><span class="link">Click <a
href="http://www.avertlabs.com/public/datafiles/HRLYDATS.ZIP">here</a>
for McAfee VirusScan 3 (hrlydats).</span></p>
<p><span class="link">Click <a
href="http://www.avertlabs.com/public/datafiles/4xupdates.asp">here</a>
for McAfee VirusScan 4 (current dat).</span></p>
<p><span class="link">Click <a
href="http://www.avertlabs.com/public/datafiles/extra/w32ska-7.zip">here</a>
for Dr Solomon’s AVTK (extra driver).</span></p>
<p> </p>
<!-- End Page Content -->
<p align="center"><span class="sub"><a
href="http://www.nai.com/about/copyright/">©
1998, Network Associates, Inc. and its affiliated Companies. All
Rights Reserved.</span></a> </p>
|
|
|
