Autor: ACC/VTS (acc_at_pertus.com.pl)
Data: Mon 15 Feb 1999 - 16:32:06 MET
Czy ACC/VTS pamieta ze napisal cos takiego?
>Nie tylko ty, niejaki "Tomu$" tez czasami wrzucal na grupe ten plik
>Nie moge sprawdzic, bo nie korzystam z news'ow tylko z bramki
>email'owej, ale zapewne oboje korzystacie z MS Outlook'a ;))
>
>W porzadnych mailerach to sie nie zdarza ;)
Sorry za tego Outlook'a - dopiero jak sciagnalem poczte to dowiedzialem
sie o tym wirusie, poza tym na grupie tez pisali co to za ustrojstwo.
Na wytlumaczenie przytocze informacje jakie dostalem z jednej hurtowni.
(Skrocilem o reklame programu antywirusowego. Tekst moze byc zle
sformatowany, bo wcinalem z html'a)
Happy99, ska trojan virus.
Information about the happy99, ska Trojan:
Happy99 is a Win32 based Trojan program. When this program is
executed it will display some fireworks. Apart from the fireworks
display this program will do some other activity in the background
without the user's permission. In the background this program will
create two files SKA.EXE and SKA.DLL. It will alter WSOCK32.DLL to put
its code into that file and keep the original file as WSOCK32.SKA. It
can not modify the WSOCK32.DLL file if it is in use. In such a case this
program will add an entry to the Windows Registry to run SKA.EXE the
next time the computer is booted so that it can do these modifications.
The size of this trojan file is 10000 bytes.
You will not get infected by Happy99 merely by downloading the trojan
file. You will have to execute it to get infected.
The modified WSOCK32.DLL has routines to detect the email and newsgroup
postings made by the user. It will send a copy of the SKA.EXE file
renamed as happy99.exe to every user or newsgroup to whom the user has
sends an email. Each recipient will get the email only once and the
trojan will not send repeat email to the same user. It will send a
separate email retaining the subject of the first email with the file as
an attachment. The trojan also maintains the file LISTE.SKA which
contains the list of all email addresses and newsgroups to which this
file has been sent. The unique function of this trojan is that it can
spread on its own.
Happy99 first apeared in January 1999 and it is reported to have affected
a lot of users.
Other names of happy99:
This trojan is also known as win32.ska.a, ska, wsock32.ska and ska.exe.
What is happy99? Troran, Virus or Worm?
This program can only be classified as a Trojan. It is not a virus as it
does not replicate itself. It does not attach itself any other file or
program. It is also not a worm as even though it can spread on its own,
it needs to be executed to get control. A worm is capable of spreading
and infecting the target computer on its own. Happy99/Ska is a trojan
with the capability to distribute itself.
Removing happy99 from your computer:
You can remove this trojan from your computer by using Protector Plus
antivirus software. Click here to download a 30 day Evaluation Copy of
Protector Plus for your operating system.
You can also remove this trojan manually from your computer. To do that,
first check the WINDOWS\SYTEM folder for the presence of these files.
1. SKA.EXE
2. SKA.DLL
3. WSOCK32.SKA
If you find these files then you have been attacked by the Happy99 Trojan.
To remove this trojan do the following:
1. Delete SKA.EXE, SKA.DLL and WSOCK32.DLL
2. Rename WSOCK32.SKA as WSOCK32.DLL
Make sure that you have WSOCK32.SKA file before deleting WSOCK32.DLL and
ensure that you have renamed this file properly. You may have to close
your Browser, Email software, etc. to delete and rename the DLL files.
You will have to use an antivirus software capable of detecting this trojan
to ensure that you do not have this file anywhere in your hard disk. You
can use Protector Plus for that purpose.
zdrówko,
+-------------------+--------------------------------------+
| ACC/VTS | ICQ: 21819610 software development |
| acc_at_pertus.com.pl | http://www.pentium.pertus.com.pl |
+-------------------+--------------------------------------+
"Keyboard not found. Press any key to continue."
To archiwum zostało wygenerowane przez hypermail 2.1.7 : Tue 18 May 2004 - 18:13:27 MET DST