[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
@Those damn viruses.

To: over-the-rhine at actwin_com
Subject: @Those damn viruses.
From: Ysobelle at aol_com
Date: Wed, 24 Feb 1999 22:13:16 EST
Okay. I know the fire's mostly out, but I did get this in my box the other
day, and thought it might be useful. If not, well...have a nice day.

Man, I'm too tired to even form acronyms. Now, THAT'S tired.



---------- Forwarded message ----------


Information Only.  No Response Requested.


Ladies and Gentlemen,

This message is being distributed to inform you of two recent virus alerts.
The majority of the Dr. Solomon's installs in the US can detect the first
virus (Happy99) but I felt it would be a good idea to inform everyone
anyway.  The second virus (Free Internet Explorer Upgrade) cannot be
detected by any of our current virus scanners used throughout the company.
Since both of these viruses spread as e-mail attachments, you can avoid
being potentially infected by them by just deleting the messages as the
attached bulletins below advise.

Thanks,
Vince Fanelli
Atlanta Central Services




AVERT - A Division of NAI Labs

                                        Virus Name: W32/Ska (a.k.a.
Happy99.exe)

                                                   This page last updated
2/1/99


                W32/Ska is a worm that was first posted to several
newsgroups and has been reported to several of the
                AVERT Labs locations worldwide. When this worm is run it
displays a message "Happy New Year 1999!!" and
                displays "fireworks" graphics. The posting on the
newsgroups has lead to its propagation. It can also spread
                on its own, as it can attached itself to a mail message and
 be sent unknowingly by a user. Because of this
                attribute it is also considered to be a worm.

                AVERT cautions all users who may receive the attachment via
 email to simply delete the mail and the
                attachment.

                The worm infects a system via email delivery and arrives as
 an attachment called Happy99.EXE. It is sent
                unknowingly by a user. When the program is run it deploys
its payload displaying fireworks on the users
                monitor.

                Note: At this time no destructive payload has been
discovered.

                When the Happy.EXE is run it copies itself to
Windows\System folder under the name SKA.EXE. It then
                extracts, from within itself, a DLL called SKA.DLL into the
 Windows\System folder if one does not already
                exist.

                Note: Though the SKA.EXE file file is a copy of the
original it does not run as the Happy.EXE files does, so it
                does not copy itself again, nor does it display the
fireworks on the users monitor.

                The worm then checks for the existence of WSOCK32.SKA in
the Windows\System folder, if it does not exist
                and a the file WSOCK32.DLL does exist, it copies the
WSOCK32.DLL to WSOCK32.SKA.

                The worm then creates the registry entry -


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.ex
e="Ska.exe"

                - which will execute SKA.EXE the next time the system is
restarted. When this happens the worm patches
                WSOCK32.DLL and adds hooks to the exported functions
EnumProtocolsW and WSAAsyncGetProtocolByName.

                The patched code calls two exported functions in SKA.DLL
called mail and news, these functions allow the
                worm to attach itself to SMTP e-mail and also to any
postings to newsgroups the user makes.

                Cleaning To eliminate the worm from your system, a 'stand
alone utility' is available (RMSKA). (it assures clean handline
                of SKA.EXE deletion & rename of WSOCK32.SKA to WSOCK32.DLL,







False Upgrade to Internet Explorer

       Recent reports indicate wide distribution of an email message which
claims to be a free upgrade to the Microsoft Internet Explorer web browser.
 However, we
       have confirmed with Microsoft that they do not provide patches or
upgrades via electronic mail, although they do distribute security
bulletins by electronic mail.

       The email message contains an attached executable program called
Ie0199.exe. After installation, this program makes several modifications to
 the system and
       attempts to contact other remote systems.We have received
conflicting information regarding the modifications made by the Trojan
horse, which could be
       explained by the existence of multiple versions of the Trojan horse.


       At least one version of the Trojan horse is accompanied by a message
 which reads, in part:

            As an user of the Microsoft Internet Explorer, Microsoft
Corporation provides you with this upgrade for your web browser. It will
fix some bugs found
            in your Internet Explorer. To install the upgrade, please save
the attached file (ie0199.exe) in some folder and run it.

       The above message is not from Microsoft.
Prev by Date: Tabs to OTR songs
Next by Date: Re: Topical Drift
Prev by thread: Re: Tabs to OTR songs
Next by thread: Re: Over-The-Rhine Digest V2 #483
Index(es):
- Date
- Thread