Scouts-L Mail Archive for February of 1999: Re: ADMINISTRATIVE: WARNING!!!
Re: ADMINISTRATIVE: WARNING!!!
Sat, 27 Feb 1999 00:28:56 -0500
If any of you have opened the happy99.exe file that was attached to a
posting to Scouts-L, you may want to read the following information.
References to anti-virus websites are included along with instructions for
removal of the worm program.
Yet another new virus is making its way through the Internet and may
find its way to your Inbox... Symantec (Norton) calls is "HAPPY99.EXE"
Network Associates (McAfee) "Win32/SKA", .
WHAT'S AFFECTED: Win 95/98
"HAPPY99.EXE" is a worm. Discovered in newsgroups in January 1999,
its main claim to fame is its ability to attach itself covertly to
outbound e-mail as an attachment, by using a modified DLL file.
NOTE: YOU CANNOT BECOME INFECTED BY JUST READING A NEWSGROUP MAIL ITEM,
YOU MUST EXECUTE THE ATTACHMENT TO INFECT YOUR SYSTEM!!
TECHY SECTION (short version):
Upon initiate infection, the virus will display the message "Happy New
Year 1999" and show a fireworks animation. The infection process then
involves adding 2 files to the \windows\system folder, substituting a
windows DLL with its own (but saving the original), and creating a
Once the workstation infection is completed, a copy of HAPPY99.EXE
is appended covertly to all outbound newsgroup/e-mail messages.
WHAT DETECTS IT:
> McAfee VirusScan: See reference for special DAT file update
> Norton Antivirus: Use sig files dated 28 Jan 99 or later
MANUAL REMOVAL PROCEDURE
1. Determine addressees that may have been sent HAPPY99.EXE
in outbound e-mail:
Start NOTEPAD.EXE and open LISTE.SKA (c:\windows\system folder)
This file will contain the e-mail address of everyone sent a copy
of the virus. (GOOD IDEA TO WARN THEM!!)
2. Start REGEDIT and remove entry if present:
- Click "Start", "Run" type "REGEDIT"
- Navigate to following key;
- Delete entry for SKA.EXE
3. Place workstation in MS-DOS mode:
Click "Start", "Shutdown",
select "Restart the computer in MS-DOS mode"
4. Change to the \WINDOWS\SYSTEM folder:
5. Delete these files:
SKA.EXE SKA.DLL WSOCK32.DLL
6. Rename WSOCK32.SKA:
ren wsock32.ska WSOCK32.DLL
7. Return to Windows mode:
Type "EXIT", depress key
E-MAIL USE GUIDELINES:
1. Never open/execute EXE or COM-type attachments if you don't know the
sender! Avoid grief..delete the message. (Who ya gonna upset?)
2. Never open/execute EXE or COM-type attachments if you KNOW the sender
but WASN'T expecting the file. Call/or e-mail it back if no
explanation is given. (How much do YOU trust that person...?)
3. If you're anti-virus software doesn't automatically scan attachments,
save them to your hard drive first, then scan them.
> Network Associates: