Note: To protect the privacy of our members, e-mail addresses have been removed from the archived messages. As a result, some links may be broken.

Lesson Plans


[Fwd: PUPT: Re: Happy99 Internet Worm] Long post, but it helps if you got it

[ Thread ][ Subject ][ Author ][ Date ]
KP RS (KPRS)
Sun, 07 Mar 1999 15:29:03 -0500


This is a multi-part message in MIME format.
--------------ECB2F7F13C2D17F8FB61837C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

--------------ECB2F7F13C2D17F8FB61837C
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Return-Path: <owner-puptcrit.edu>
Received: from lists.village.virginia.edu (lists.village.Virginia.EDU [128.143.200.198])
by pop.cybernex.net (Mail-clerk/Homer) with ESMTP id JAA32123
user; Fri, 19 Feb 1999 09:03:47 -0500
Received-Date: Fri, 19 Feb 1999 09:03:47 -0500
Received: (from domo@localhost) by lists.village.virginia.edu (8.8.5/8.6.6) id IAA17284 for puptcrit-outgoing; Fri, 19 Feb 1999 08:55:08 -0500
X-Authentication-Warning: lists.village.virginia.edu: domo set sender to owner-puptcrit@localhost using -f
Received: (from spoons@localhost) by lists.village.virginia.edu (8.8.5/8.6.6) id IAA61054 for puptcrit@localhost; Fri, 19 Feb 1999 08:55:04 -0500
Received: from falcon.inetnebr.com (root [199.184.119.1]) by lists.village.virginia.edu (8.8.5/8.6.6) with ESMTP id VAA76363 for <puptcrit.edu>; Thu, 18 Feb 1999 21:58:43 -0500
Received: from blshayes (lin-pm4-010.inetnebr.com [209.50.10.106])
by falcon.inetnebr.com (8.8.8/8.8.8) with SMTP id UAA24545
for <puptcrit.edu>; Thu, 18 Feb 1999 20:58:39 -0600 (CST)
Message-ID: <000301be5bb3$09308180$6a0a32d1@blshayes>
From: "Hayes Family" <BLSHAYES>
To: <puptcrit.edu>
Subject: PUPT: Re: Happy99 Internet Worm
Date: Thu, 18 Feb 1999 20:53:29 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3115.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-puptcrit.edu
Precedence: bulk
Reply-To: puptcrit.edu

I read the Happy99 postings with interest. Although I am 1/3 of the Hayes
family
puppeters, I also work as a local area network administrator for the
University
of Nebraska.

I do a fair amount of anti-virus work. The following comes from a note I
sent
my colleagues this morning which may be of interest to you.

An Internet worm called Happy99 (a.k.a W32/SKA or SKA) is now riding
across
the Internet as an unauthorized e-mail or usenet newsgroup attachment. Over
the
years, I've taken great pains to tell folks that reading an e-mail message
will not
cause your PC harm. It still won't. However, we've always said that
running an
e-mail attachment is risky business. Users should ALWAYS avoid running any
e-mail
attachment, no matter how much they may trust their e-mail buddies.

Happy99.exe is considered an Internet worm, because it travels between
machines via e-mail attachments and newsgroup postings. It arrives to a
computer
via a uuencoded e-mail or newsgroup attachment, Happy99 infects a Windows 9x
box after its user extracts the happy99.exe program and then runs it. In
addition to infecting the user's machine, it also causes a great deal of
work for network administrators who may have to clean up infected e-mail
servers.

While running, the Happy99 attachment shows a firesworks display. Once
the
Happy99 attachment is run, the worm modifies the winsock32.dll file so it
can
monitor outgoing e-mail traffic. As each e-mail or newsgroup posting is
mailed,
the worm attaches a uuencoded copy of happy99.exe to the outgoing message.

Here's a detailed breakdown of what Happy99 does to the infected box.
When
the infected attachment is run, the program copies itself as SKA.EXE. It
then
extracts a a dynamic link library (DLL) called SKA.DLL which it copies into
WINDOWS\SYSTEM directory. Happy99 then modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL to a file
called WSOCK32.SKA. If a user is online when Happy99 tries to the
WSOCK32.DLL file, it adds the following "runonce" entry to the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

Runonce registry entries are commonly used by setup programs, allowing
a
setup program to contine once a machine has been rebooted. This approach
allows
the worm to modify the WSOCK.32 file the next time Windows starts.

Additionally, the worm keeps a list of the addresses which received
infected messages in a file called liste.ska.

Here is the recommended way to manually remove the worm:

Delete WINDOWS\SYSTEM\SKA.EXE, then delete the WINDOWS\SYSTEM\SKA.DLL file.
Next, rename the the WINDOWS\SYSTEM\WSOCK32.DLL to WSOCK32.WRM and then
rename the WINDOWS\SYSTEM\WSOCK32.SKA file to WSOCK.DLL. You may then delete
the WSOCK32.WRM file. Finally, find and delete the downloaded file, usually
named HAPPY99.EXE.

References:

http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.htm
http://www.sophos.com/downloads/ide/index.html#ska
http://www.datafellows.com/news/pr/eng/19990129.htm
http://www.symantec.com/avcenter/venc/data/happy99.worm.html

Bill, Laura, & Sarah Hayes
http://incolor.inetnebr.com/blshayes/puppets.htm

--- Personal replies to: "Hayes Family" <BLSHAYES>
--- List replies to: puptcrit.edu
--- Admin commands to: majordomo.edu

--------------ECB2F7F13C2D17F8FB61837C--