McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Happy99

• I-Worm.Happy

• W32/Ska.dll

• W32/Ska.dll@m

Characteristics

W32/Ska is a worm that was first posted to several newsgroups and has been reported to several of the AVERT Labs locations worldwide. When this worm is run it displays a message "Happy New Year 1999!!" and displays "fireworks" graphics. The posting on the newsgroups has lead to its propagation. It can also spread on its own, as it can attach itself to a mail message and be sent unknowingly by a user.

The file may be received by email with a size of 10,000 bytes. The worm if run will patch WSOCK32.DLL to promote distribution by email on the host system if the email application supports SMTP email communication. If the host supports this environment, emails when sent from the host will be followed by a second message with the worm either attached or included as MIME such as this:

>X-Spanska: Yes
>
>begin 644 Happy99.exe
>M35I0`
`(````$``\`__\``+@`````````0``:````````````````````````
>M``````````````````````$``+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R

AVERT cautions all users who may receive the attachment via email to simply delete the mail and the attachment. The worm infects a system via email delivery and arrives as an attachment called Happy99.EXE. It is sent unknowingly by a user. When the program is run it deploys its payload displaying fireworks on the users monitor.

When HAPPY99.EXE is run it copies itself to Windows\System folder under the name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL into the Windows\System folder if one does not already exist.

Note: Though the SKA.EXE file is a copy of the original it does not run as the HAPPY99.EXE files does, so it does not copy itself again, nor does it display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the Windows\System folder, if it does not exist and a the file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to WSOCK32.SKA as a backup copy.

The worm then creates the registry entry -

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
Ska.exe = Ska.exe

- which will execute SKA.EXE the next time the system is restarted. When this happens the worm patches WSOCK32.DLL and adds hooks to the exported functions EnumProtocolsW and WSAAsyncGetProtocolByName.

The patched code calls two exported functions in SKA.DLL called mail and news, these functions allow the worm to attach itself to SMTP e-mail and also to any postings to newsgroups the user makes (NNTP).

Symptoms

Existence of the file HAPPY99.EXE, SKA.EXE, SKA.DLL and WSOCK32.SKA on the local system - modifications to the system registry as mentioned above - email mailings as mentioned above.

Method of Infection

Running the executable will patch WSOCK32.DLL with two routines to assist spreading by distributing by SMTP/NNTP transfers.

Removal

Use specified engine and DAT files for detection. Removal equires manual operation:You will need to reboot to MS-DOS mode as WSOCK32.DLL cannot be changed under Windows. "SHUTDOWN | RESTART TO MSDOS MODE" and when at the command prompt, type in these instructions:

CD C:\WINDOWS\SYSTEM
REN WSOCK32.DLL WSOCK32.BAD
REN WSOCK32.SKA WSOCK32.DLL
DEL SKA.EXE
DEL SKA.DLL
COPY LISTE.SKA C:\

The above is sufficient to stop the worm from working. To restart Windows, type EXIT. Note that the file LISTE.SKA contains a listing of persons whom have received the HAPPY99.EXE file unsolicited from you. It would be good netiquette to inform them of this misdeed and forward them the removal instructions as well.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Happy99

• I-Worm.Happy

• W32/Ska.dll

• W32/Ska.dll@m

Characteristics

Characteristics -

W32/Ska is a worm that was first posted to several newsgroups and has been reported to several of the AVERT Labs locations worldwide. When this worm is run it displays a message "Happy New Year 1999!!" and displays "fireworks" graphics. The posting on the newsgroups has lead to its propagation. It can also spread on its own, as it can attach itself to a mail message and be sent unknowingly by a user.

The file may be received by email with a size of 10,000 bytes. The worm if run will patch WSOCK32.DLL to promote distribution by email on the host system if the email application supports SMTP email communication. If the host supports this environment, emails when sent from the host will be followed by a second message with the worm either attached or included as MIME such as this:

>X-Spanska: Yes
>
>begin 644 Happy99.exe
>M35I0`
`(````$``\`__\``+@`````````0``:````````````````````````
>M``````````````````````$``+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R

AVERT cautions all users who may receive the attachment via email to simply delete the mail and the attachment. The worm infects a system via email delivery and arrives as an attachment called Happy99.EXE. It is sent unknowingly by a user. When the program is run it deploys its payload displaying fireworks on the users monitor.

When HAPPY99.EXE is run it copies itself to Windows\System folder under the name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL into the Windows\System folder if one does not already exist.

Note: Though the SKA.EXE file is a copy of the original it does not run as the HAPPY99.EXE files does, so it does not copy itself again, nor does it display the fireworks on the users monitor.

The worm then checks for the existence of WSOCK32.SKA in the Windows\System folder, if it does not exist and a the file WSOCK32.DLL does exist, it copies the WSOCK32.DLL to WSOCK32.SKA as a backup copy.

The worm then creates the registry entry -

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
Ska.exe = Ska.exe

- which will execute SKA.EXE the next time the system is restarted. When this happens the worm patches WSOCK32.DLL and adds hooks to the exported functions EnumProtocolsW and WSAAsyncGetProtocolByName.

The patched code calls two exported functions in SKA.DLL called mail and news, these functions allow the worm to attach itself to SMTP e-mail and also to any postings to newsgroups the user makes (NNTP).

Symptoms

Symptoms -

Existence of the file HAPPY99.EXE, SKA.EXE, SKA.DLL and WSOCK32.SKA on the local system - modifications to the system registry as mentioned above - email mailings as mentioned above.

Method of Infection

Method of Infection -

Running the executable will patch WSOCK32.DLL with two routines to assist spreading by distributing by SMTP/NNTP transfers.

Removal -

Removal -

Use specified engine and DAT files for detection. Removal equires manual operation:You will need to reboot to MS-DOS mode as WSOCK32.DLL cannot be changed under Windows. "SHUTDOWN | RESTART TO MSDOS MODE" and when at the command prompt, type in these instructions:

CD C:\WINDOWS\SYSTEM
REN WSOCK32.DLL WSOCK32.BAD
REN WSOCK32.SKA WSOCK32.DLL
DEL SKA.EXE
DEL SKA.DLL
COPY LISTE.SKA C:\

The above is sufficient to stop the worm from working. To restart Windows, type EXIT. Note that the file LISTE.SKA contains a listing of persons whom have received the HAPPY99.EXE file unsolicited from you. It would be good netiquette to inform them of this misdeed and forward them the removal instructions as well.

Variants

Variants -

N/A