VIRUS FIX
Posted: Fri Feb 17, 2012 5:18 pm
Received: from default ([207.53.188.134]) by mail.Ritzcom.net
(Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35)
with SMTP id net for <murphy-rebel@dcsol.com>;
Sat, 6 Mar 1999 07:40:33 -0800
Message-Id: <3.0.3.32.19990306073708.006a73a4@ritzcom.net>
X-Sender: coyote@ritzcom.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sat, 06 Mar 1999 07:37:08 -0800
To: murphy-rebel@dcsol.com
From: Coyote Flats Farms <coyote@ritzcom.net>
Subject: VIRUS FIX
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
You may have recently received an e-mail with worm virus Happy99.exe
attached.
Please read the information below about the virus and how to remove it.
This virus is the current hot virus spreading around the U.S. It is not a
dangerous virus, only an extremely annoying one. Good Luck!!
Ska Virus Information
This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. You cannot get infected with this virus just by reading
a newsgroup or e-mail message. You have to execute the attachment.
It will create two files in the Windows System folder, SKA.EXE and
SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup of
WSOCK32.DLL under the name of WSOCK32.SKA. Then it will modify WSOCK32.DLL
so it will try to access SKA.DLL under certain circumstances. It does not
modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular part of
Windows that provides a connnection to the Internet. If it is unable to
modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the
registry and WSOCK32.DLL will be modified next time the computer starts.
The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of
outgoing newsgroup and e-mail messages. This second copy will have the same
subject and recipient, but it will have an empty body. This virus will keep
a list of message recipients in the file LISTE.SKA in the Windows System
folder.
In my tests(sending an e-mail to myself:) this virus attached itself to a
second copy of the e-mail message, with no problems and a barely noticeable
delay. The outgoing message contains the header
"X-Spanska: Yes" but this is normally
not visible.
This virus does not steal passwords, as some sources have reported. It
does not contain any payload other than the fireworks display. However, it
could overload an e-mail server if a lot of copies get passed around. Also,
since it gets passed along a lot, a different virus could attach to
HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the
modified WSOCK32.DLL cannot perform any viral action. However using a
modified WSOCK32.DLL could cause problems while on the Internet. Restoring
the original WSOCK32.DLL will correct these problems.
This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
However, someone using one of those could pass it along manually, for
example by forwarding the message. I don't have a Windows NT machine to
test it on, but I have reports that it will create SKA.EXE and SKA.DLL, but
will fail to add itself to the registry or modify WSOCK32.DLL.
Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain any code to change the name. However, it would be simple
for a person to change it to anything they like.
It contains the encrypted text: "Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999."
Removal
Steps marked optional are not absolutely necessary and are completely safe
to skip.
1.Click Start, then Shut Down, then "Restart Computer in MS-DOS mode",
then click Yes. It's important to do this so you can make the necessary
changes.
2.At the DOS prompt type this exactly and press enter at the end of each
line:CD \WINDOWS\SYSTEM
If your Windows folder is not called WINDOWS then substitute the name
of your Windows folder instead, for example: CD \WIN95\SYSTEM
3.Delete SKA.EXE and SKA.DLL by typing: DEL SKA.EXE(ENTER) and then DEL
SKA.DLL(ENTER
If you get "File not found" you're either not infected or in the wrong
directory. Make sure you're in your Windows System directory; check to see
if you followed step 2 exactly.
4.Copy WSOCK32.SKA to WSOCK32.DLL by typing: COPY WSOCK32.SKA
WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL made by
the virus. You are replacing the modified DLL with the original.
5.Optional Delete WSOCK32.SKA by typing: DEL WSOCK32.SKA
You can leave WSOCK32.SKA on your system. It is a copy of your
original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to
replace WSOCK32.DLL with WSOCK32.SKA.
6.Return to Windows by typing : EXIT
7.Optional Click Start, then Run, then type regedit in the text box,
then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft,
then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and
select it if it is there. Press delete and then click Yes. Close Regedit.
Don't change anything else without making a backup of the registry first.
If you don't find SKA.EXE in the registry, it doesn't mean you're not
infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable
to modify WSOCK32.DLL when you run it.
8.Optional Choose Start, Programs, Accessories, Notepad, choose File,
then Open then type
C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on
the list, then delete LISTE.SKA.
(Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35)
with SMTP id net for <murphy-rebel@dcsol.com>;
Sat, 6 Mar 1999 07:40:33 -0800
Message-Id: <3.0.3.32.19990306073708.006a73a4@ritzcom.net>
X-Sender: coyote@ritzcom.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sat, 06 Mar 1999 07:37:08 -0800
To: murphy-rebel@dcsol.com
From: Coyote Flats Farms <coyote@ritzcom.net>
Subject: VIRUS FIX
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
You may have recently received an e-mail with worm virus Happy99.exe
attached.
Please read the information below about the virus and how to remove it.
This virus is the current hot virus spreading around the U.S. It is not a
dangerous virus, only an extremely annoying one. Good Luck!!
Ska Virus Information
This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. You cannot get infected with this virus just by reading
a newsgroup or e-mail message. You have to execute the attachment.
It will create two files in the Windows System folder, SKA.EXE and
SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup of
WSOCK32.DLL under the name of WSOCK32.SKA. Then it will modify WSOCK32.DLL
so it will try to access SKA.DLL under certain circumstances. It does not
modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular part of
Windows that provides a connnection to the Internet. If it is unable to
modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the
registry and WSOCK32.DLL will be modified next time the computer starts.
The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of
outgoing newsgroup and e-mail messages. This second copy will have the same
subject and recipient, but it will have an empty body. This virus will keep
a list of message recipients in the file LISTE.SKA in the Windows System
folder.
In my tests(sending an e-mail to myself:) this virus attached itself to a
second copy of the e-mail message, with no problems and a barely noticeable
delay. The outgoing message contains the header
"X-Spanska: Yes" but this is normally
not visible.
This virus does not steal passwords, as some sources have reported. It
does not contain any payload other than the fireworks display. However, it
could overload an e-mail server if a lot of copies get passed around. Also,
since it gets passed along a lot, a different virus could attach to
HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the
modified WSOCK32.DLL cannot perform any viral action. However using a
modified WSOCK32.DLL could cause problems while on the Internet. Restoring
the original WSOCK32.DLL will correct these problems.
This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
However, someone using one of those could pass it along manually, for
example by forwarding the message. I don't have a Windows NT machine to
test it on, but I have reports that it will create SKA.EXE and SKA.DLL, but
will fail to add itself to the registry or modify WSOCK32.DLL.
Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain any code to change the name. However, it would be simple
for a person to change it to anything they like.
It contains the encrypted text: "Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999."
Removal
Steps marked optional are not absolutely necessary and are completely safe
to skip.
1.Click Start, then Shut Down, then "Restart Computer in MS-DOS mode",
then click Yes. It's important to do this so you can make the necessary
changes.
2.At the DOS prompt type this exactly and press enter at the end of each
line:CD \WINDOWS\SYSTEM
If your Windows folder is not called WINDOWS then substitute the name
of your Windows folder instead, for example: CD \WIN95\SYSTEM
3.Delete SKA.EXE and SKA.DLL by typing: DEL SKA.EXE(ENTER) and then DEL
SKA.DLL(ENTER
If you get "File not found" you're either not infected or in the wrong
directory. Make sure you're in your Windows System directory; check to see
if you followed step 2 exactly.
4.Copy WSOCK32.SKA to WSOCK32.DLL by typing: COPY WSOCK32.SKA
WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL made by
the virus. You are replacing the modified DLL with the original.
5.Optional Delete WSOCK32.SKA by typing: DEL WSOCK32.SKA
You can leave WSOCK32.SKA on your system. It is a copy of your
original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to
replace WSOCK32.DLL with WSOCK32.SKA.
6.Return to Windows by typing : EXIT
7.Optional Click Start, then Run, then type regedit in the text box,
then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft,
then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and
select it if it is there. Press delete and then click Yes. Close Regedit.
Don't change anything else without making a backup of the registry first.
If you don't find SKA.EXE in the registry, it doesn't mean you're not
infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable
to modify WSOCK32.DLL when you run it.
8.Optional Choose Start, Programs, Accessories, Notepad, choose File,
then Open then type
C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on
the list, then delete LISTE.SKA.