Return-Path: Received: (qmail 20020 invoked from network); 23 Mar 1999 14:51:28 -0000 Received: from magnet.plus.net.uk (HELO magnet.force9.net) (195.166.128.26) by medusa.plus.net.uk with SMTP; 23 Mar 1999 14:51:28 -0000 Received: (qmail 26601 invoked from network); 23 Mar 1999 14:55:11 -0000 Received: from post.thorcom.com (194.75.130.70) by magnet.plus.net.uk with SMTP; 23 Mar 1999 14:55:10 -0000 Content-Transfer-Encoding: 8bit Received: from troy.blacksheep.org ([194.75.183.50] ident=root) by post.thorcom.com with esmtp (Exim 2.04 #3) id 10PSXS-0007Eo-00; Tue, 23 Mar 1999 14:52:18 +0000 Received: (from root@localhost) by troy.blacksheep.org (8.6.12/8.6.12) id OAA29558 for rsgb_lf_group-outgoing; Tue, 23 Mar 1999 14:48:51 GMT X-Priority: 3 X-MSMail-Priority: Normal Received: from post.thorcom.com (root@post.unica.co.uk [194.75.183.70]) by troy.blacksheep.org (8.6.12/8.6.12) with ESMTP id OAA29528 for ; Tue, 23 Mar 1999 14:44:24 GMT Received: from mailhost.zen.co.uk ([212.23.8.4]) by post.thorcom.com with esmtp (Exim 2.04 #3) id 10PST1-00061X-00 for rsgb_lf_group@blacksheep.org; Tue, 23 Mar 1999 14:47:43 +0000 Received: from ns.zen.co.uk (37.godel.zen.co.uk [212.23.16.165]) by mailhost.zen.co.uk (8.9.1/8.9.1) with SMTP id OAA10025 for ; Tue, 23 Mar 1999 14:43:46 GMT X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: <3.0.5.32.19990323133243.008be580@zen.co.uk> X-Sender: alan.gale@zen.co.uk X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 23 Mar 1999 13:32:43 +0000 To: rsgb_lf_group@blacksheep.org From: "Alan Gale" Subject: LF: Dealing with the Happy99 Virus In-reply-to: References: <199903221759.SAA24626@bluewin.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Sender: Precedence: bulk Reply-To: rsgb_lf_group@blacksheep.org At 19:55 99/03/22 +0000, you wrote: >It modifies wsock32.dll to send itself as an attachment when a posting >is made to USENET and othe Mail.... > >I am not sure, but it should be picked up on these "secondary" postings >using a virus checker that operates all the time in the background. > >Grateful for any other information that members of the list may offer. Hi John and all, If anyone on the list does become infected with this nasty virus there are a number of cures that will help to remove it. Following a recent outbreak on the Euro Scanner (ESL) List, I details on a number of places where you can find programmes that will deal with it: ----------------- >Any of you still suffering from the Happy 99 virus thingey then help >can be obtained from: >Happy99Cleaner 2.0, Windows 95/98/NT Freeware: >http://www.softseek.com/files/review?UTVI23313sw >Regards , >John, Oxford, UK ----------------- >On the doctor Solomon's web page they say they can detect this virus. >Please see: http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.htm. >They supply extra drivers for your installation. ------------------ >Please see http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM ------------------ ++++ How to remove Happy99.exe Virus ++++ You can remove this trojan manually from your computer. To do this, first check the WINDOWS\SYSTEM folder for the presence of these files. 1. SKA.EXE 2. SKA.DLL 3. WSOCK32.SKA If you find these files then you have been attacked by the Happy99 Trojan. To remove this trojan do the following: 1. Delete SKA.EXE, SKA.DLL and WSOCK32.DLL 2. Rename WSOCK32.SKA as WSOCK32.DLL Make sure that you have WSOCK32.SKA file before deleting WSOCK32.DLL and ensure that you have renamed this file properly. You may have to close your Browser, Email software, etc. to delete and rename the DLL files. If you have Internet Explorer integrated Windows, you may have to do it in dos mode. 1. Shut down windows with the RESTART IN DOS MODE option. 2.At the prompt follow these instructions. C:\WINDOWS>cd system 3.Next prompt and command: C:\WINDOWS\SYSTEM>del wsock32.dll 4.And finally: C:\WINDOWS\SYSTEM>ren wsock32.ska wsock32.dll Then restart your computer.) One final note, there will also be a file in your \windows\system directory called "liste.ska" from what I can tell this file is a list of people you could have sent the Trojan to. It might be as well to warn them and pass on these instructions. -------------------- Recently there have been several reports of a virus being passed through lists in attachments. The virus, called Happy99, modifies infected computers so that they spread the virus to other computers through email attachments. For more information on this particular virus, and how to remove it, visit the following web page: http://www.symantec.com/avcenter/venc/data/happy99.worm.html This is a good time to remind people that, in general, they should not open email attachments or run programs from people they do not know. That is how this and other viruses are spread. Hope that's of help to someone. 73, Alan G4TMV.