Return to KLUBNL.PL main page

rsgb_lf_group
[Top] [All Lists]

LF: Happy99

To: [email protected]
Subject: LF: Happy99
From: "Toni Baertschi" <[email protected]>
Date: Tue, 23 Mar 1999 08:41:50 +0100
Organization: Phonak Communications AG
Reply-to: [email protected]
Sender: <[email protected]>
from HB9ASB
Sorry for the virus I've sent yesterday to the group. I was not aware
that also this PC was infected. Do not execute happy99.exe, just trash
it!

73 de Toni

*** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
This computer worm is a kind of virus program that does not affect
files it attaches itself to, but just sends itself to the
Internet as an attachment in the e-mail messages originating from the
infected system. Apparently this will occur
regardless of the e-mail client you are using! The worm had been posted
to several news servers, and on next day
Kaspersky labs got the report that it was discovered In-The-Wild in
Europe and continued spreading. At the time of
writing, the virus has been found on systems worldwide.

The worm arrives as an attachment in e-mails as a "HAPPY99.EXE" file.
Be advised that the sender of the e-mail is
usually unaware of this. You would usually get an e-mail from the
infected sender and immediately after that you will get a
second e-mail from the same person. The body of that second message is
empty and the "happy99.exe" file is attached.
The file size is usually less than 11kb.

When an infected attachment is executed, the worm displays a firework
in a window to hide its true activity. This is when
it installs itself into the system, detects send activity on the smtp
port, converts its code to the attachment and appends it
to all outgoing e-mail. As a result the worm, once it has been
installed onto the system, is able to spread its copies to all
the addresses the messages are sent to. Removal and Protection
If the worm is detected in your system you can easily get rid of it by
deleting SKA.EXE and SKA.DLL files in the
\Windows directory. You should delete the WSOCK32.DLL file and replace
it with WSOCK32.SKA original file. The
original HAPPY99.EXE file needs to be located and deleted.
To protect your computer from re-infection you need just to set
Read-Only attribute for the WSOCK32.DLL file. The
worm does not pay attention to Read-Only mode, and fails to patch the
file. This trick was discovered by Peter Szor at
DataFellows http://www.datafellows.com.

REMINDER

Do not open and do not execute the HAPPY99.EXE file that you have
received as an attachment in any message even if
you get it from trusted source.  You should also remember: the files
that you have got from the Internet can contain
malicious code that may infect your computer, destroy the data, send
confidential files to the Internet, or install spy
programs to monitor your computer from remote host. See information in
The BackOrifice Information Center.

Technical Details
During installation, the worm copies itself to the Windows system
directory as SKA.EXE and drops the additional
SKA.DLL file in the same directory. The worm then copies the
WSOCK95.DLL to WSOCK95.SKA (makes a
"backup") and patches the WSOCK95.DLL file.
If the WSOCK32.DLL is in use and cannot be opened for writing, the worm
creates a new key in the system registry to
run its dropper on next reboot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The WSOCK32.DLL patch consists of a worm initialization routine and two
redirected exports. The initialization routine
is just a small piece of worm code - just 202 bytes. It is saved to the
end of WSOCK32.DLL code section (".text"
section). The WSOCK95.DLL has enough of space for that, and the size of
WSOCK32.DLL does not increased during
infection.
Then the worm patches the WSOCK32.DLL export tables so that two
functions ("connect" and "send") will point to the
worm initialization routine at the end of WSOCK32.DLL code section.
When a user is connecting to the Internet the WSOCK32.DLL is activated,
and the worm hooks two events: connection
and data sending. The worm monitors the nntp and email ports (25 and
119). When it detects a connection via one of
these ports, it loads its SKA.DLL library that has two exports: "mail"
and "news". Depending on the port number the
worm calls one of these routines, but both of them create a new
message, insert UUencoded worm HAPPY99.EXE
dropper into it, and send to the Internet address specified by the
user.


Information provided by Delta 4 Services.

<Prev in Thread] Current Thread [Next in Thread>
  • LF: Happy99, Toni Baertschi <=