ARIZARD-L Archives

Archiver > ARIZARD > 1999-05 > 0927488993


From: Jean Mayfield Cuevas <>
Subject: [ARIZARD-L] HAPPY99.exe
Date: Sun, 23 May 1999 15:49:53 -0400


Hi Folks,

A couple of times this week, I have received messages from folks who had
the Happy99.exe attached, so I thought I would pass along a copy of a
message sent to my listowners' Newby-L list, which will explain what to do,
if you should receive this little "fellow"! :-)

Jean C.

To Check to see if you have benn HIT with this virus use your FIND FILES or
FOLDERS Search under START button, and look for these files in your system.

SKA.EXE
SKA.DLL
WSOCK32.SKA
WINSOCK32.SKA

Check for any file ending in .ska, by searching for *.ska

If you find these files in your system go to the antivirus providers
(Symantec is good), (Dr. Solomons) websites and search for the antivirus
program specified for this virus WORM.

All viruses listed in the Virus description pages can be detected and removed
with Data Fellows Anti-virus and Data Security software.

NAME: Win32/Ska.A
ALIAS: Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA
SIZE: 10000
Win32/Ska.A is a Win32-based e-mail and newsgroup worm. It displays fireworks
when executed first time as Happy99.exe. (Normally this file arrives as an e-
mail attachment to a particular PC, or it is downloaded from a newsgroup.)
When executed first time, it creates SKA.EXE and SKA.DLL in the system
directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE.
After this Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the system
directory. Then it tries to patch WSOCK32.DLL so that its export entries for
two functions will point to new routines (to the worm's own functions) inside
the patched WSOCK32.DLL. If WSOCK32.DLL is in use, Ska.A modifies the
registry's RunOnce entry to execute SKA.EXE during next boot-up. (When
executed as SKA.EXE it does not display the firework, just tries to patch
WSCOK32.DLL until it is not used.)

"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able
to see if the local user has any activity on network. When "Connect" or "Send"
APIs are called, Ska loads its SKA.DLL containing two exports: "news" and
"mail".

Then it spams itself to the same newsgroups or same e-mail addresses where the
user was posting or mailing to. It maps SKA.EXE to memory and converts it to
uuencoded format and mails an additional e-mail or newsgroup post with the
same header information as the original message but containing no text but
just an attachment called Happy99.exe.

Therefore Happy99 is not limited like the Win32/Parvo virus which is unable to
use a particular news server when the user does not have access to it. The
worm also maintains a list of addresses it has posted a copy of itself. This
is stored in a file called LISTE.SKA. (The number of entries are limited in
this file.)

The worm contains the following encrytped text which is not displayed:

Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999.
The mail header of the manipulated mails will contain a new field called "X-
Spanska: YES". Normally this header field is not visible to receivers of the
message.
Since the worm does not check WSOCK32.DLL's attribute, it can not patch it if
it is set to read only.

[Analysis: Peter Szor, Data Fellows]

All viruses listed in the Virus description pages can be detected and removed
with Data Fellows Anti-virus and Data Security software.

This thread: