PDA

View Full Version : Happy,SkaVirus



RickR,GroveCity
03-16-2000, 08:50 PM
Profile
Name
W32/Ska2K.worm
Aliases
Happy00, Ska, W32/Ska, W32/Ska.exe
Variants
W32/Ska
Date Added
1/18/00
Information
Discovery Date: 1/17/00
Type: Virus
SubType: worm
Risk Assessment: Low
Minimum DAT: 4012
Minimum Engine: 4.0.25
Characteristics
*Note this edition of the worm is only a minor variation of the original
first identified in February 1999. This worm is detected with current DAT
files. *
The file may be received by email with a size of 10,000 bytes. The worm if
run will patch WSOCK32.DLL to promote distribution by email on the host
system if the email application supports SMTP email communication. If the
host supports this environment, emails when sent from the host will be
followed by a second message with the worm either attached or included as
MIME such as this:
>X-Spanska: Yes
>
>begin 644 Happy00.exe
>M35I0`
(````$``\`__\``+@`````````0``:```````````````````` ````
>M``````````````````````$``+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R
The above was truncated intentionally and was partially included for the
benefit of this description. When this worm is run it displays a message
"Happy New Year 2000!!" and displays "fireworks" graphics.
AVERT cautions all users who may receive the attachment via email to simply
delete the mail and the attachment. The worm infects a system via email
delivery and arrives as an attachment called Happy99.EXE. It is sent
unknowingly by a user. When the program is run it deploys its payload
displaying fireworks on the users monitor.
When HAPPY00.EXE is run it copies itself to Windows\System folder under the
name SKA.EXE. It then extracts, from within itself, a DLL called SKA.DLL
into the Windows\System folder if one does not already exist.
Note: Though the SKA.EXE file is a copy of the original it does not run as
the HAPPY00.EXE files does, so it does not copy itself again, nor does it
display the fireworks on the users monitor.
The worm then checks for the existence of WSOCK32.SKA in the Windows\System
folder, if it does not exist and a the file WSOCK32.DLL does exist, it
copies the WSOCK32.DLL to WSOCK32.SKA as a backup copy.
The worm then creates the registry entry -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\
Ska.exe="Ska.exe"
- which will execute SKA.EXE the next time the system is restarted. When
this happens the worm patches WSOCK32.DLL and adds hooks to the exported
functions EnumProtocolsW and WSAAsyncGetProtocolByName.
The patched code calls two exported functions in SKA.DLL called mail and
news, these functions allow the worm to attach itself to SMTP e-mail and
also to any postings to newsgroups the user makes (NNTP).
Symptoms
Existence of the file HAPPY00.EXE, SKA.EXE, SKA.DLL and WSOCK32.SKA on the
local system - modifications to the system registry as mentioned above -
email mailings as mentioned above.
Method Of Infection
Running the executable will patch WSOCK32.DLL with two routines to assist
spreading by distributing by SMTP/NNTP transfers.
Removal Instructions
Use specified engine and DAT files for detection. Removal requires manual
operation: You will need to reboot to MS-DOS mode as WSOCK32.DLL cannot be
changed under Windows. "SHUTDOWN | RESTART TO MSDOS MODE" and when at the
command prompt, type in these instructions:
CD C:\WINDOWS\SYSTEM
REN WSOCK32.DLL WSOCK32.BAD
REN WSOCK32.SKA WSOCK32.DLL
DEL SKA.EXE
DEL SKA.DLL
COPY LISTE.SKA C:\
The above is sufficient to stop the worm from working. To restart Windows,
type EXIT. Note that the file LISTE.SKA contains a listing of persons whom
have received the HAPPY00.EXE file unsolicited from you. It would be good
netiquette to inform them of this misdeed and forward them the removal
instructions as well.



------------------
RickR mailto:riggerb@aol.comriggerb@aol.com</A>