Time to De-Worm the DML <again>

From: Mike Burgess (mike.burgess@akamail.com)
Date: Wed Apr 14 1999 - 23:01:15 EDT


So What I'd do to you? <grin>
  I intentionly run 16 bit netscape 2.0, and trumpet winsock,
just in case the email virus comes around.
 You have happy99, which has been quite busy in Mar & Apr
this year, and of course on the DML, this is the 2nd time
I've see it related to the DML.
 So, get your virus scanners out and check your drives and
documents folks. Please.

 This is a worm program, NOT a virus. This program has reportedly been
 received through email spamming and USENET newsgroup posting. The file
is
usually named HAPPY99.EXE in the email or article attachment.
The program copies itself as SKA.EXE and extracts a DLL that it carries
as
SKA.DLL into WINDOWS\SYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original
WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered
when a connect or send activity is detected. When such online activity
occurs,
the modified code loads the worm's SKA.DLL. This SKA.DLL creates a
new email or a new article with UUENCODED HAPPY99.EXE inserted into
the email or article. It then sends this email or posts this article.

  More info:
http://www.symantec.com/avcenter/venc/data/happy99.worm.html

J. Harmon wrote:
>
> Name: Happy99.exe
> Part 1.1 Type: unspecified type (application/octet-stream)
> Encoding: x-uuencode



This archive was generated by hypermail 2b29 : Fri Jun 20 2003 - 12:13:45 EDT