THIS IS REAL, I HAD IT
TO CHECK TO SEE IF YOU HAVE IT
E-MAIL YOURSELF, IF TWO E-MAILS COME BACK
ONE WITH THE HAPPY99 IN IT DO NOT OPEN IT
FOLLOW THE INSTRUCTIONS BELOW
don't know where it came from,here's the cure,it works..... Mark
----------
> From: Mackey, Robert <Robert.Mackey@xxxxxxx>
> To: vwserv@xxxxxxxxxxxxxx
> Subject: FW: Virus Warning
> Date: Friday, February 19, 1999 4:13 PM
>
> In case you're not already aware, you're 'infected' with this virus...
>
> > I found the following information on the Internet, which describes
the
> > virus and how to remove it.
> >
> > Ska Virus
> > Information
> > This virus is attached to newsgroup and e-mail messages as an
attachment
> > called Happy99.exe. You cannot get infected with this virus just by
> > reading a newsgroup or e-mail message. You have to execute the
attachment.
> > If you execute an infected attachment, it will display a firework
display
> > which looks like this:
> > <<...>>
> > It will create two files in the Windows System folder, SKA.EXE and
> > SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will make a
backup
of
> > WSOCK32.DLL under the name of WSOCK32.SKA. Then it will modify
WSOCK32.DLL
> > so it will try to access SKA.DLL under certain circumstances. It
does
not
> > modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular
part
> > of Windows that provides a connnection to the Internet. If it is
unable
to
> > modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section
of
the
> > registry and WSOCK32.DLL will be modified next time the computer
starts.
> > The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of
> > outgoing newsgroup and e-mail messages. This second copy will have
the
> > same subject and recipient, but it will have an empty body. This
virus
> > will keep a list of message recipients in the file LISTE.SKA in the
> > Windows System folder.
> > In my tests(sending an e-mail to myself:) this virus attached itself
to
a
> > second copy of the e-mail message, with no problems and a barely
> > noticeable delay. The outgoing message contains the header
> > X-Spanska: Yes
> > but this is normally not visible.
> > This virus does not steal passwords, as some sources have reported.
It
> > does not contain any payload other than the fireworks display.
However,
it
> > could overload an e-mail server if a lot of copies get passed
around.
> > Also, since it gets passed along a lot, a different virus could
attach
to
> > HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE,
the
> > modified WSOCK32.DLL cannot perform any viral action. However using
a
> > modified WSOCK32.DLL could cause problems while on the Internet.
Restoring
> > the original WSOCK32.DLL will correct these problems.
> > This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or
WebTV.
> > However, someone using one of those could pass it along manually,
for
> > example by forwarding the message. I don't have a Windows NT machine
to
> > test it on, but I have reports that it will create SKA.EXE and
SKA.DLL,
> > but will fail to add itself to the registry or modify WSOCK32.DLL.
> > Some people have asked whether it is always called HAPPY99.EXE. This
virus
> > doesn't contain any code to change the name. However, it would be
simple
> > for a person to change it to anything they like.
> > It contains the encrypted text:
> > "Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska
1999."
> >
> > Removal
> > Steps marked optional are not absolutely necessary and are
completely
safe
> > to skip.
> > Click Start, then Shut Down, then "Restart Computer in MS-DOS mode",
then
> > click Yes. It's important to do this so you can make the necessary
> > changes.
> > At the DOS prompt type this exactly and press enter at the end of
each
> > line:
> > CD \WINDOWS\SYSTEM
> > If your Windows folder is not called WINDOWS then substitute the
> > name of your Windows folder instead, for example:
> > CD \WIN95\SYSTEM
> > Delete SKA.EXE and SKA.DLL by typing
> > DEL SKA.EXE
> > DEL SKA.DLL
> > If you get "File not found" you're either not infected or in the
> > wrong directory. Make sure you're in your Windows System directory;
check
> > to see if you followed step 2 exactly.
> > Copy WSOCK32.SKA to WSOCK32.DLL by typing
> > COPY WSOCK32.SKA WSOCK32.DLL
> > Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
> > Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL
made
by
> > the virus. You are replacing the modified DLL with the original.
> > Optional Delete WSOCK32.SKA by typing
> > DEL WSOCK32.SKA
> > You can leave WSOCK32.SKA on your system. It is a copy of your
> > original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to
> > replace WSOCK32.DLL with WSOCK32.SKA.
> > Return to Windows by typing
> > EXIT
> > Optional Click Start, then Run, then type regedit in the text box,
then
> > click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft,
then
> > Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and
select
> > it if it is there. Press delete and then click Yes. Close Regedit.
Don't
> > change anything else without making a backup of the registry first.
If
you
> > don't find SKA.EXE in the registry, it doesn't mean you're not
infected.
> > SKA.EXE is only added to the registry if HAPPY99.EXE is unable to
modify
> > WSOCK32.DLL when you run it.
> > <<...>>
> > Optional Choose Start, Programs, Accessories, Notepad, choose File,
then
> > Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box.
Warn
the
> > people on the list, then delete LISTE.SKA.
> >
> >
> >
> >
|
|
Back to the Home of the Forward Look Network