Guest guest Posted July 5, 1999 Report Share Posted July 5, 1999 Hi everyone Please don't open the happy99.exe attachment sent under Linda's name. It is a 'worm' which will attach itself to emails you send. Linda, you will need to remove it from your computer. You can find more information at this address: http://www.datafellows.com/news/pr/eng/19990129.htm You can check out hoaxes at this address: http://www.datafellows.com/news/hoax/ Gill Allspirit Webring http://dspace.dial.pipex.com/gilleardley/webring.shtml Allspirit Website - Spiritual poetry, quotations and lyrics http://dspace.dial.pipex.com/gilleardley/ ---------------------- fwd message: If you receive a file named happy99.exe - don't open it, just delete it from your system completely! It isn't a virus, it's a worm called Happy99.Worm. The harmful program comes in the form of an attachment named Happy99.exe Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. When being executed, the program also opens a window entitled "Happy New Year 1999 showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article. If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE The registry entry loads the worm the next time Windows start. So if you have received an email with the happy99.exe as an attachment and you have opened the attachment you now have a worm on your computer. To delete this worm you need to first reboot to DOS and then type : CD \windows\system DEL ska.exe DEL ska.dll Please do not ignore this and check your computer for the worm if you received the Happy99 email. Quote Link to comment Share on other sites More sharing options...
Guest guest Posted July 5, 1999 Report Share Posted July 5, 1999 Thank you Gill - I feel sorry that we need to deal with this kind of destructive mischief. Dan At 10:08 AM 7/5/99 +0100, you wrote: >"Gill Eardley" <gilleardley > >Hi everyone > >Please don't open the happy99.exe attachment sent under Linda's name. >It is a 'worm' which will attach itself to emails you send. Linda, you will >need to remove it from your computer. > >You can find more information at this address: >http://www.datafellows.com/news/pr/eng/19990129.htm > >You can check out hoaxes at this address: >http://www.datafellows.com/news/hoax/ > >Gill > >Allspirit Webring >http://dspace.dial.pipex.com/gilleardley/webring.shtml > >Allspirit Website - Spiritual poetry, quotations and lyrics >http://dspace.dial.pipex.com/gilleardley/ > >---------------------- >fwd message: >If you receive a file named happy99.exe - don't open it, just delete it from >your system completely! It isn't a virus, it's a worm called Happy99.Worm. >The harmful program comes in the form of an attachment named Happy99.exe > >Description: This is a worm program, NOT a virus. This program has >reportedly been received through email spamming and USENET newsgroup >posting. The file is usually named HAPPY99.EXE in the email or article >attachment. > >When being executed, the program also opens a window entitled "Happy New >Year 1999 showing a firework display to disguise its other actions. The >program copies itself as SKA.EXE and extracts a DLL that it carries as >SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in >WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into >WSOCK32.SKA. > >WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The >modification to WSOCK32.DLL allows the worm routine to be triggered when a >connect or send activity is detected. When such online activity occurs, the >modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or >a new article with UUENCODED HAPPY99.EXE inserted into the email or article. >It then sends this email or posts this article. > >If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is >online), the worm adds a registry entry: > >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE >The registry entry loads the worm the next time Windows start. > >So if you have received an email with the happy99.exe as an attachment and >you have opened the attachment you now have a worm on your computer. To >delete this worm you need to first reboot to DOS and then type : > >CD \windows\system >DEL ska.exe >DEL ska.dll > >Please do not ignore this and check your computer for the worm if you >received the Happy99 email. > > > > >--------------------------- ONElist Sponsor ---------------------------- > >How has ONElist changed your life? >Share your story with us at > >------ > Quote Link to comment Share on other sites More sharing options...
Guest guest Posted July 5, 1999 Report Share Posted July 5, 1999 Hi Gill: Thanks for the information. I think the problem is taken care of, I hope that not too many others have a problem now - the original did come from this list as when I first opened it I thought it was a rather strange posting. Thanks again. Linda Hi everyone Please don't open the happy99.exe attachment sent under Linda's name. It is a 'worm' which will attach itself to emails you send. Linda, you will need to remove it from your computer. You can find more information at this address: http://www.datafellows.com/news/pr/eng/19990129.htm You can check out hoaxes at this address: http://www.datafellows.com/news/hoax/ Gill Allspirit Webring http://dspace.dial.pipex.com/gilleardley/webring.shtml Allspirit Website - Spiritual poetry, quotations and lyrics http://dspace.dial.pipex.com/gilleardley/ ---------------------- fwd message: If you receive a file named happy99.exe - don't open it, just delete it from your system completely! It isn't a virus, it's a worm called Happy99.Worm. The harmful program comes in the form of an attachment named Happy99.exe Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. When being executed, the program also opens a window entitled "Happy New Year 1999 showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article. If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE The registry entry loads the worm the next time Windows start. So if you have received an email with the happy99.exe as an attachment and you have opened the attachment you now have a worm on your computer. To delete this worm you need to first reboot to DOS and then type : CD \windows\system DEL ska.exe DEL ska.dll Please do not ignore this and check your computer for the worm if you received the Happy99 email. --------------------------- ONElist Sponsor ---------------------------- How has ONElist changed your life? Share your story with us at ------ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.