[Donmca at aol.com: Fwd: Fw: Virus Alert]
Hector Gonzalez
bb268 at scn.org
Tue Mar 23 09:22:04 PST 1999
================= Begin forwarded message =================
From: Donmca at aol.com (unknown)
To: Supernet1 at aol.com, clschibig at hotmail.com, Camco2 at aol.com, denzili at juno.com, DAlmqEnt at aol.com, donnamel at hotmail.com, rgross at sinclair.net, bb268 at scn.org, ockerseattle at msn.com, jim at kendaco.telebyte.com, tomk at seanet.com, VirgJill at aol.com, jirand at worldnet.att.net, aa314 at gpfn.sk.ca, karen at jeffklassenfishing.com
Cc: karlh at iea.com, kwagner at silverlink.net, langel at televar.com, lisray at safeco.com, imac at infinet.net, MARCIASTAR at aol.com, marlat at safeco.com, Fergusson1 at aol.com, m_egilson at ducks.ca, mcammond at wsunix.wsu.edu, JNalley100 at aol.com, noneill at home.com, Srnandjrn at aol.com, pkelly1 at gte.net, RPpool at aol.com
Subject: Fwd: Fw: Virus Alert
Date: Mon, 22 Mar
This is a multi-part message in MIME format.
--part0_922174691_boundary
Content-ID: <0_922174691 at inet_out.mail.aol.com.1>
Content-type: text/plain; charset=US-ASCII
> In a message dated 3/22/99 10:00:16 AM Pacific Standard Time,
kscmrobin at juno.
> com writes:
>
> > Subj: Fw: Virus Alert
> > Date: 3/22/99 10:00:16 AM Pacific Standard Time
> > From: kscmrobin at juno.com (Kenneth S. Robinson)
> > To: B_Hardy at msn.com, camco2 at aol.com, hhawk at juno.com, jkeliher at mwmgl.org,
> > cunamara at gte.net, Donmca at aol.com, jdreid at telebyte.net,
greystroke at juno.com,
>
> > jhrco at hurricane.net, kerobin at juno.com
> >
> > Dear Friends,
> >
> > Charrison Lochaby is a close personal friend who sent me the following
> > message. I trust his judgement. Hope this helps ward off problems.
> >
> > Ken Robinson
> >
> > --------- Forwarded message ----------
> > From: "Charrison Lochaby" <clochaby at whidbey.com>
> > Date: Mon, 22 Mar 1999 09:22:36 -0800
> > Subject: Virus Alert
> > Message-ID: <000301be7488$94887e20$61355ecc at dell>
> >
> > Dear Friends
> >
> > I usually do not pay any attention to "Virus Alerts" as many of them are
> > hoaxes. However I know of two people whose computers have been infected
> > with the "Happy99" worm. One on the East Coast and the other a true and
> > trusted friend who forwarded the following to me and I am in turn
sending
> it
> > on to everyone that I know.
> >
> > Charrison Lochaby
> >
> >
> >
> >
> >
> > ===== A message from the 'whatnext' discussion list =====
> >
> > Some time early this week or late last week a message was sent with an
> > attachment called "Happy99" This is a TERRIBLE virus that has been
> > making my life a living hell for the last 24 hours. It infects your
> entire
> > system. DO NOT OPEN IT UNDER ANY CIRCUMSTANCES!!!!!!!!!!!
> >
> > Below is info on how to deal with this virus.
> >
> >
> > Hello Listowners. Please consider forwarding this message to your
lists.
> > The "happy99.exe" worm continues to rear it's ugly head, and we'd like
to
> > warn the conservation community about it. I received it today from
> > someone in Turkey...
> > Thanks,
> > Steve Albertson (ONE/Northwest)
> >
> > --------------------------------------------------------
> > Reminder: Do Not Open the File Named "happy99.exe"
> > An email is floating around the conservation community (and the Internet
> > in general) that contains an attached file usually called "happy99.exe".
> > Please be warned that this attached file *most likely* contains a "worm"
> > that can harm your system.
> > Please do not open the happy99.exe file, or forward it to anyone asking
> > that they do so. You cannot contract this worm by simply opening the
> email
> > message in which the happy99.exe file is attached, but do not download
or
> > click on (launch) the happy99.exe file.
> > A worm is like a virus in that it invades your computer system, but
does
> > not attach itself to a host program. If you think you might have come
in
> > contact with the happy99.exe file, below are the recommended steps to
get
> > rid of it from the Symantec AntiVirus home page.
> > In general, there are three things you can do to protect yourself from
> > viruses and worms:
> > 1. Purchase anti-virus software to protect your machine(s). This
> software can scan every new file that comes onto your computer and alert you
> to the
> > presence of *most* viruses, worms and other damaging files. Symantec
> > (http://www.symantec.com) makes an excellent and affordable product
> called
> > Norton AntiVirus that you should investigate.
> > 2. Never open or download files attached to email messages without first
> > checking them for viruses, particularly if they come from people you
don'
> t
> > know or trust. This is particularly true for "executable" files (files
> that
> > run software programs when launched), but can also apply to Word files
> > which can also be infected with annoying and damaging viruses. For more
> > information about viruses, see our general document at
http://www.onenw.
> org/toolkit/virus.html.
> > 3. Before forwarding a "warning" message about viruses to your friends
> and
> > colleagues, confirm that the warning is for a real virus/worm and not
> > another hoax. Hoax viruses are ones that don't exist but are endlessly
> > described in email messages warning people about them! One place you
can
> > go to verify whether a warning message is about a real virus or not is
> the
> > Virus Myths Web page, at http://www.kumite.com/myths/ .
> >
> > Overall, use your judgement and common sense, and be reasonably
cautious.
> > * Steve Albertson (ONE/Northwest)
> >
> > ---------------------------------------------------------
> > (From Symantec's AntiVirus web site, downloaded March 9, 1999):
> > Happy99.Worm
> > VirusName: Happy99.Worm
> > Aliases: Trojan.Happy99, I-Worm.Happy
> > Likelihood: Common
> > Region Reported: US, Europe
> > Characteristics: Trojan Horse, Worm
> >
> > Description:
> > This is a worm program, NOT a virus. This program has reportedly been
> > received through email spamming and USENET newsgroup posting. The file
is
> > usually named HAPPY99.EXE in the email or article attachment.
> > When being executed, the program also opens a window entitled "Happy New
> > Year 1999 !!" showing a firework display to disguise its other actions.
> The
> > program copies itself as SKA.EXE and extracts a DLL that it carries as
> > SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
> > WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
> > WSOCK32.SKA.
> > WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
> > modification to WSOCK32.DLL allows the worm routine to be triggered when
> a connect or send activity is detected. When such online activity occurs,
> the
> > modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email
> > or a new article with UUENCODED HAPPY99.EXE inserted into the email or
> > article.
> > It then sends this email or posts this article.
> > If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user
is
> > online), the worm adds a registry entry:
> >
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.
> > EXE
> > The registry entry loads the worm the next time Windows start.
> >
> > Removing the worm manually:
> >
> > 1. delete WINDOWS\SYSTEM\SKA.EXE
> > 2. delete WINDOWS\SYSTEM\SKA.DLL
> > 3. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
> > 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
> > 5. delete the downloaded file, usually named HAPPY99.EXE
> >
> > Windows prevents you to do step #3 and #4 above if the machine is still
> > connected to the Internet. The file "windows\system\wsock32.dll" is used
> > whenever the machine is connected to Internet (i.e. through dial-up or
> LAN
> > connection).
> >
> > If you are using dial-up connection (i.e. America Online), you need to
do
> > the following:
> > 1. terminate internet connection
> > 2. delete WINDOWS\SYSTEM\SKA.EXE
> > 3. delete WINDOWS\SYSTEM\SKA.DLL
> > 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
> > 5. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
> > 6. delete the downloaded file, usually named HAPPY99.EXE
> >
> > If you are connected to Internet through LAN (i.e. in the office or
cable
> > modem), you need to do the following:
> > 1. From the Start menu, select shutdown-restart in MS DOS mode
> > 2. type CD \windows\system when DOS prompt (C:\)appears
> > 3. type RENAME WSOCK32.DLL WSOCK32.BAK
> > 4. type RENAME WSOCK32.SKA WSOCK32.DLL
> > 5. type DEL SKA.EXE
> > 6. type DEL SKA.DLL
> >
> >
> > Safe Computing:
> > This worm and other trojan-horse type programs demonstrate the need to
> > practice safe computing. One should not execute any executable-file
> > attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email
> > or a newsgroup article from an untrusted source.
> > Norton AntiVirus users can protect themselves from this virus by
> > downloading the current virus definitions either through LiveUpdate or
> from the
> > following webpage:
> > http://www.symantec.com/avcenter/download.html
> > Write-up by: Raul K. Elnitiarta
> > March 2, 1999
> >
> > ----------------------------------------------------------
> > Steve Albertson
> > ONE/Northwest
> > 'Online Networking for the Environment'
> > 1601 2nd Avenue, Suite 605
> > Seattle, WA 98101
> >
> > Email: stevea at onenw.org
> > Phone: 206-448-1008
> > Fax: 206-448-7222
> > Web: http://www.onenw.org
> >
> >
>
>
> -----------------
> Forwarded Message:
> Subj: Fw: Virus Alert
> Date: 3/22/99 10:00:16 AM Pacific Standard Time
> From: kscmrobin at juno.com (Kenneth S. Robinson)
> To: B_Hardy at msn.com, camco2 at aol.com, hhawk at juno.com, jkeliher at mwmgl.org,
> cunamara at gte.net, Donmca at aol.com, jdreid at telebyte.net, greystroke at juno.com,
> jhrco at hurricane.net, kerobin at juno.com
>
> Dear Friends,
>
> Charrison Lochaby is a close personal friend who sent me the following
> message. I trust his judgement. Hope this helps ward off problems.
>
> Ken Robinson
>
> --------- Forwarded message ----------
> From: "Charrison Lochaby" <clochaby at whidbey.com>
> Date: Mon, 22 Mar 1999 09:22:36 -0800
> Subject: Virus Alert
> Message-ID: <000301be7488$94887e20$61355ecc at dell>
>
> Dear Friends
>
> I usually do not pay any attention to "Virus Alerts" as many of them are
> hoaxes. However I know of two people whose computers have been infected
> with the "Happy99" worm. One on the East Coast and the other a true and
> trusted friend who forwarded the following to me and I am in turn sending
> it
> on to everyone that I know.
>
> Charrison Lochaby
>
>
>
>
>
> ===== A message from the 'whatnext' discussion list =====
>
> Some time early this week or late last week a message was sent with an
> attachment called "Happy99" This is a TERRIBLE virus that has been
> making
> my life a living hell for the last 24 hours. It infects your entire
> system. DO NOT OPEN IT UNDER ANY CIRCUMSTANCES!!!!!!!!!!!
>
> Below is info on how to deal with this virus.
>
>
> Hello Listowners. Please consider forwarding this message to your lists.
> The "happy99.exe" worm continues to rear it's ugly head, and we'd like to
> warn the conservation community about it. I received it today from
> someone
> in Turkey...
> Thanks,
> Steve Albertson (ONE/Northwest)
>
> --------------------------------------------------------
> Reminder: Do Not Open the File Named "happy99.exe"
> An email is floating around the conservation community (and the Internet
> in
> general) that contains an attached file usually called "happy99.exe".
> Please be warned that this attached file *most likely* contains a "worm"
> that can harm your system.
> Please do not open the happy99.exe file, or forward it to anyone asking
> that
> they do so. You cannot contract this worm by simply opening the email
> message in which the happy99.exe file is attached, but do not download or
> click on (launch) the happy99.exe file.
> A worm is like a virus in that it invades your computer system, but does
> not attach itself to a host program. If you think you might have come in
> contact with the happy99.exe file, below are the recommended steps to get
> rid of it from the Symantec AntiVirus home page.
> In general, there are three things you can do to protect yourself from
> viruses and worms:
> 1. Purchase anti-virus software to protect your machine(s). This
> software
> can scan every new file that comes onto your computer and alert you to
> the
> presence of *most* viruses, worms and other damaging files. Symantec
> (http://www.symantec.com) makes an excellent and affordable product
> called
> Norton AntiVirus that you should investigate.
> 2. Never open or download files attached to email messages without first
> checking them for viruses, particularly if they come from people you
> don't
> know or trust. This is particularly true for "executable" files (files
> that
> run software programs when launched), but can also apply to Word files
> which
> can also be infected with annoying and damaging viruses. For more
> information about viruses, see our general document at
> http://www.onenw.org/toolkit/virus.html.
> 3. Before forwarding a "warning" message about viruses to your friends
> and
> colleagues, confirm that the warning is for a real virus/worm and not
> another hoax. Hoax viruses are ones that don't exist but are endlessly
> described in email messages warning people about them! One place you can
> go
> to verify whether a warning message is about a real virus or not is the
> Virus Myths Web page, at http://www.kumite.com/myths/ .
>
> Overall, use your judgement and common sense, and be reasonably cautious.
> * Steve Albertson (ONE/Northwest)
>
> ---------------------------------------------------------
> (From Symantec's AntiVirus web site, downloaded March 9, 1999):
> Happy99.Worm
> VirusName: Happy99.Worm
> Aliases: Trojan.Happy99, I-Worm.Happy
> Likelihood: Common
> Region Reported: US, Europe
> Characteristics: Trojan Horse, Worm
>
> Description:
> This is a worm program, NOT a virus. This program has reportedly been
> received through email spamming and USENET newsgroup posting. The file is
> usually named HAPPY99.EXE in the email or article attachment.
> When being executed, the program also opens a window entitled "Happy New
> Year 1999 !!" showing a firework display to disguise its other actions.
> The
> program copies itself as SKA.EXE and extracts a DLL that it carries as
> SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
> WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
> WSOCK32.SKA.
> WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
> modification to WSOCK32.DLL allows the worm routine to be triggered when
> a
> connect or send activity is detected. When such online activity occurs,
> the
> modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email
> or
> a new article with UUENCODED HAPPY99.EXE inserted into the email or
> article.
> It then sends this email or posts this article.
> If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
> online), the worm adds a registry entry:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.
> EXE
> The registry entry loads the worm the next time Windows start.
>
> Removing the worm manually:
>
> 1. delete WINDOWS\SYSTEM\SKA.EXE
> 2. delete WINDOWS\SYSTEM\SKA.DLL
> 3. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
> 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
> 5. delete the downloaded file, usually named HAPPY99.EXE
>
> Windows prevents you to do step #3 and #4 above if the machine is still
> connected to the Internet. The file "windows\system\wsock32.dll" is used
> whenever the machine is connected to Internet (i.e. through dial-up or
> LAN
> connection).
>
> If you are using dial-up connection (i.e. America Online), you need to do
> the following:
> 1. terminate internet connection
> 2. delete WINDOWS\SYSTEM\SKA.EXE
> 3. delete WINDOWS\SYSTEM\SKA.DLL
> 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
> 5. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
> 6. delete the downloaded file, usually named HAPPY99.EXE
>
> If you are connected to Internet through LAN (i.e. in the office or cable
> modem), you need to do the following:
> 1. From the Start menu, select shutdown-restart in MS DOS mode
> 2. type CD \windows\system when DOS prompt (C:\)appears
> 3. type RENAME WSOCK32.DLL WSOCK32.BAK
> 4. type RENAME WSOCK32.SKA WSOCK32.DLL
> 5. type DEL SKA.EXE
> 6. type DEL SKA.DLL
>
>
> Safe Computing:
> This worm and other trojan-horse type programs demonstrate the need to
> practice safe computing. One should not execute any executable-file
> attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email
> or
> a newsgroup article from an untrusted source.
> Norton AntiVirus users can protect themselves from this virus by
> downloading
> the current virus definitions either through LiveUpdate or from the
> following webpage:
> http://www.symantec.com/avcenter/download.html
> Write-up by: Raul K. Elnitiarta
> March 2, 1999
>
> ----------------------------------------------------------
> Steve Albertson
> ONE/Northwest
> 'Online Networking for the Environment'
> 1601 2nd Avenue, Suite 605
> Seattle, WA 98101
>
> Email: stevea at onenw.org
> Phone: 206-448-1008
> Fax: 206-448-7222
> Web: http://www.onenw.org
--part0_922174691_boundary
Content-ID: <0_922174691 at inet_out.mail.aol.com.2>
Content-type: message/rfc822
Content-transfer-encoding: 7bit
Content-disposition: inline
From: Donmca at aol.com
Return-path: <Donmca at aol.com>
To: tinker at kalama.com, skogldg at cen.quik.com, jbgrobler at worldfront.com,
BMHaave at aol.com, JOECARIVEY at aol.com, hairctr at ritzcom.net,
jnblough at crcwnet.com, Donmca at aol.com, cmoll at windermere.com,
k7ioo at televar.com, JP3712 at aol.com
Cc: sschibig at wolfenet.com, marching at webtv.net, kenkay at ix.netcom.com,
aluberts at earthlink.net, Bealswood at aol.com, McAmmond at aol.com,
Picketb at aol.com, toydoghouse at worldnet.att.net, scottbp at worldnet.att.com,
bealouchubb at msn.com, rafinnigan at earthlink.net, B_Hardy at email.msn.com
Subject: Fwd: Fw: Virus Alert
Date: Tue, 23 Mar 1999 02:32:39 EST
Mime-Version: 1.0
Content-type: multipart/mixed;
boundary="part1_922174691_boundary"
--part1_922174691_boundary
Content-ID: <0_922174691 at inet_out.mail.aol.com.3>
Content-type: text/plain; charset=US-ASCII
In a message dated 3/22/99 10:00:16 AM Pacific Standard Time,
kscmrobin at juno.com writes:
> Subj: Fw: Virus Alert
> Date: 3/22/99 10:00:16 AM Pacific Standard Time
> From: kscmrobin at juno.com (Kenneth S. Robinson)
> To: B_Hardy at msn.com, camco2 at aol.com, hhawk at juno.com, jkeliher at mwmgl.org,
> cunamara at gte.net, Donmca at aol.com, jdreid at telebyte.net, greystroke at juno.com,
> jhrco at hurricane.net, kerobin at juno.com
>
> Dear Friends,
>
> Charrison Lochaby is a close personal friend who sent me the following
> message. I trust his judgement. Hope this helps ward off problems.
>
> Ken Robinson
>
> --------- Forwarded message ----------
> From: "Charrison Lochaby" <clochaby at whidbey.com>
> Date: Mon, 22 Mar 1999 09:22:36 -0800
> Subject: Virus Alert
> Message-ID: <000301be7488$94887e20$61355ecc at dell>
>
> Dear Friends
>
> I usually do not pay any attention to "Virus Alerts" as many of them are
> hoaxes. However I know of two people whose computers have been infected
> with the "Happy99" worm. One on the East Coast and the other a true and
> trusted friend who forwarded the following to me and I am in turn sending
it
> on to everyone that I know.
>
> Charrison Lochaby
>
>
>
>
>
> ===== A message from the 'whatnext' discussion list =====
>
> Some time early this week or late last week a message was sent with an
> attachment called "Happy99" This is a TERRIBLE virus that has been
> making my life a living hell for the last 24 hours. It infects your entire
> system. DO NOT OPEN IT UNDER ANY CIRCUMSTANCES!!!!!!!!!!!
>
> Below is info on how to deal with this virus.
>
>
> Hello Listowners. Please consider forwarding this message to your lists.
> The "happy99.exe" worm continues to rear it's ugly head, and we'd like to
> warn the conservation community about it. I received it today from
> someone in Turkey...
> Thanks,
> Steve Albertson (ONE/Northwest)
>
> --------------------------------------------------------
> Reminder: Do Not Open the File Named "happy99.exe"
> An email is floating around the conservation community (and the Internet
> in general) that contains an attached file usually called "happy99.exe".
> Please be warned that this attached file *most likely* contains a "worm"
> that can harm your system.
> Please do not open the happy99.exe file, or forward it to anyone asking
> that they do so. You cannot contract this worm by simply opening the email
> message in which the happy99.exe file is attached, but do not download or
> click on (launch) the happy99.exe file.
> A worm is like a virus in that it invades your computer system, but does
> not attach itself to a host program. If you think you might have come in
> contact with the happy99.exe file, below are the recommended steps to get
> rid of it from the Symantec AntiVirus home page.
> In general, there are three things you can do to protect yourself from
> viruses and worms:
> 1. Purchase anti-virus software to protect your machine(s). This software
can scan every new file that comes onto your computer and alert you to the
> presence of *most* viruses, worms and other damaging files. Symantec
> (http://www.symantec.com) makes an excellent and affordable product called
> Norton AntiVirus that you should investigate.
> 2. Never open or download files attached to email messages without first
> checking them for viruses, particularly if they come from people you don't
> know or trust. This is particularly true for "executable" files (files
that
> run software programs when launched), but can also apply to Word files
> which can also be infected with annoying and damaging viruses. For more
> information about viruses, see our general document at
http://www.onenw.org/toolkit/virus.html.
> 3. Before forwarding a "warning" message about viruses to your friends and
> colleagues, confirm that the warning is for a real virus/worm and not
> another hoax. Hoax viruses are ones that don't exist but are endlessly
> described in email messages warning people about them! One place you can
> go to verify whether a warning message is about a real virus or not is the
> Virus Myths Web page, at http://www.kumite.com/myths/ .
>
> Overall, use your judgement and common sense, and be reasonably cautious.
> * Steve Albertson (ONE/Northwest)
>
> ---------------------------------------------------------
> (From Symantec's AntiVirus web site, downloaded March 9, 1999):
> Happy99.Worm
> VirusName: Happy99.Worm
> Aliases: Trojan.Happy99, I-Worm.Happy
> Likelihood: Common
> Region Reported: US, Europe
> Characteristics: Trojan Horse, Worm
>
> Description:
> This is a worm program, NOT a virus. This program has reportedly been
> received through email spamming and USENET newsgroup posting. The file is
> usually named HAPPY99.EXE in the email or article attachment.
> When being executed, the program also opens a window entitled "Happy New
> Year 1999 !!" showing a firework display to disguise its other actions. The
> program copies itself as SKA.EXE and extracts a DLL that it carries as
> SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
> WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
> WSOCK32.SKA.
> WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
> modification to WSOCK32.DLL allows the worm routine to be triggered when a
connect or send activity is detected. When such online activity occurs, the
> modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email
> or a new article with UUENCODED HAPPY99.EXE inserted into the email or
> article.
> It then sends this email or posts this article.
> If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
> online), the worm adds a registry entry:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.
> EXE
> The registry entry loads the worm the next time Windows start.
>
> Removing the worm manually:
>
> 1. delete WINDOWS\SYSTEM\SKA.EXE
> 2. delete WINDOWS\SYSTEM\SKA.DLL
> 3. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
> 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
> 5. delete the downloaded file, usually named HAPPY99.EXE
>
> Windows prevents you to do step #3 and #4 above if the machine is still
> connected to the Internet. The file "windows\system\wsock32.dll" is used
> whenever the machine is connected to Internet (i.e. through dial-up or LAN
> connection).
>
> If you are using dial-up connection (i.e. America Online), you need to do
> the following:
> 1. terminate internet connection
> 2. delete WINDOWS\SYSTEM\SKA.EXE
> 3. delete WINDOWS\SYSTEM\SKA.DLL
> 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
> 5. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
> 6. delete the downloaded file, usually named HAPPY99.EXE
>
> If you are connected to Internet through LAN (i.e. in the office or cable
> modem), you need to do the following:
> 1. From the Start menu, select shutdown-restart in MS DOS mode
> 2. type CD \windows\system when DOS prompt (C:\)appears
> 3. type RENAME WSOCK32.DLL WSOCK32.BAK
> 4. type RENAME WSOCK32.SKA WSOCK32.DLL
> 5. type DEL SKA.EXE
> 6. type DEL SKA.DLL
>
>
> Safe Computing:
> This worm and other trojan-horse type programs demonstrate the need to
> practice safe computing. One should not execute any executable-file
> attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email
> or a newsgroup article from an untrusted source.
> Norton AntiVirus users can protect themselves from this virus by
> downloading the current virus definitions either through LiveUpdate or from
the
> following webpage:
> http://www.symantec.com/avcenter/download.html
> Write-up by: Raul K. Elnitiarta
> March 2, 1999
>
> ----------------------------------------------------------
> Steve Albertson
> ONE/Northwest
> 'Online Networking for the Environment'
> 1601 2nd Avenue, Suite 605
> Seattle, WA 98101
>
> Email: stevea at onenw.org
> Phone: 206-448-1008
> Fax: 206-448-7222
> Web: http://www.onenw.org
>
>
--part1_922174691_boundary
Content-ID: <0_922174691 at inet_out.mail.juno.com.4>
Content-type: message/rfc822
Content-transfer-encoding: 7bit
Content-disposition: inline
Return-Path: <kscmrobin at juno.com>
Received: from rly-zc03.mx.aol.com (rly-zc03.mail.aol.com [172.31.33.3]) by
air-zc01.mail.aol.com (v58.13) with SMTP; Mon, 22 Mar 1999 13:00:15
-0500
Received: from m3.jersey.juno.com (m3.jersey.juno.com [209.67.33.61])
by rly-zc03.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)
with ESMTP id NAA15683;
Mon, 22 Mar 1999 13:00:08 -0500 (EST)
Received: (from kscmrobin at juno.com)
by m3.jersey.juno.com (queuemail) id D6B6E7QA; Mon, 22 Mar 1999 12:57:41 EST
To: B_Hardy at msn.com, camco2 at aol.com, hhawk at juno.com, jkeliher at mwmgl.org,
cunamara at gte.net, Donmca at aol.com, jdreid at telebyte.net,
greystroke at juno.com, jhrco at hurricane.net, kerobin at juno.com
Date: Mon, 22 Mar 1999 09:55:22 -0900
Subject: Fw: Virus Alert
Message-ID: <19990322.095524.-967401.0.kscmrobin at juno.com>
X-Mailer: Juno 2.0.11
X-Juno-Line-Breaks:
0-1,3-17,19-30,32-40,42-48,50-53,55-64,66,68-69,71-73,75,77,79-82,84-86,88-108,110-115,117,119,121,123-126,128-140,142-166,168-169,171-189
X-Juno-Att: 0
From: "Kenneth S. Robinson" <kscmrobin at juno.com>
Mime-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
Dear Friends,
Charrison Lochaby is a close personal friend who sent me the following
message. I trust his judgement. Hope this helps ward off problems.
Ken Robinson
--------- Forwarded message ----------
From: "Charrison Lochaby" <clochaby at whidbey.com>
Date: Mon, 22 Mar 1999 09:22:36 -0800
Subject: Virus Alert
Message-ID: <000301be7488$94887e20$61355ecc at dell>
Dear Friends
I usually do not pay any attention to "Virus Alerts" as many of them are
hoaxes. However I know of two people whose computers have been infected
with the "Happy99" worm. One on the East Coast and the other a true and
trusted friend who forwarded the following to me and I am in turn sending
it
on to everyone that I know.
Charrison Lochaby
===== A message from the 'whatnext' discussion list =====
Some time early this week or late last week a message was sent with an
attachment called "Happy99" This is a TERRIBLE virus that has been
making
my life a living hell for the last 24 hours. It infects your entire
system. DO NOT OPEN IT UNDER ANY CIRCUMSTANCES!!!!!!!!!!!
Below is info on how to deal with this virus.
Hello Listowners. Please consider forwarding this message to your lists.
The "happy99.exe" worm continues to rear it's ugly head, and we'd like to
warn the conservation community about it. I received it today from
someone
in Turkey...
Thanks,
Steve Albertson (ONE/Northwest)
--------------------------------------------------------
Reminder: Do Not Open the File Named "happy99.exe"
An email is floating around the conservation community (and the Internet
in
general) that contains an attached file usually called "happy99.exe".
Please be warned that this attached file *most likely* contains a "worm"
that can harm your system.
Please do not open the happy99.exe file, or forward it to anyone asking
that
they do so. You cannot contract this worm by simply opening the email
message in which the happy99.exe file is attached, but do not download or
click on (launch) the happy99.exe file.
A worm is like a virus in that it invades your computer system, but does
not attach itself to a host program. If you think you might have come in
contact with the happy99.exe file, below are the recommended steps to get
rid of it from the Symantec AntiVirus home page.
In general, there are three things you can do to protect yourself from
viruses and worms:
1. Purchase anti-virus software to protect your machine(s). This
software
can scan every new file that comes onto your computer and alert you to
the
presence of *most* viruses, worms and other damaging files. Symantec
(http://www.symantec.com) makes an excellent and affordable product
called
Norton AntiVirus that you should investigate.
2. Never open or download files attached to email messages without first
checking them for viruses, particularly if they come from people you
don't
know or trust. This is particularly true for "executable" files (files
that
run software programs when launched), but can also apply to Word files
which
can also be infected with annoying and damaging viruses. For more
information about viruses, see our general document at
http://www.onenw.org/toolkit/virus.html.
3. Before forwarding a "warning" message about viruses to your friends
and
colleagues, confirm that the warning is for a real virus/worm and not
another hoax. Hoax viruses are ones that don't exist but are endlessly
described in email messages warning people about them! One place you can
go
to verify whether a warning message is about a real virus or not is the
Virus Myths Web page, at http://www.kumite.com/myths/ .
Overall, use your judgement and common sense, and be reasonably cautious.
* Steve Albertson (ONE/Northwest)
---------------------------------------------------------
(From Symantec's AntiVirus web site, downloaded March 9, 1999):
Happy99.Worm
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Characteristics: Trojan Horse, Worm
Description:
This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy New
Year 1999 !!" showing a firework display to disguise its other actions.
The
program copies itself as SKA.EXE and extracts a DLL that it carries as
SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when
a
connect or send activity is detected. When such online activity occurs,
the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email
or
a new article with UUENCODED HAPPY99.EXE inserted into the email or
article.
It then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.
EXE
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
1. delete WINDOWS\SYSTEM\SKA.EXE
2. delete WINDOWS\SYSTEM\SKA.DLL
3. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
5. delete the downloaded file, usually named HAPPY99.EXE
Windows prevents you to do step #3 and #4 above if the machine is still
connected to the Internet. The file "windows\system\wsock32.dll" is used
whenever the machine is connected to Internet (i.e. through dial-up or
LAN
connection).
If you are using dial-up connection (i.e. America Online), you need to do
the following:
1. terminate internet connection
2. delete WINDOWS\SYSTEM\SKA.EXE
3. delete WINDOWS\SYSTEM\SKA.DLL
4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
5. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
6. delete the downloaded file, usually named HAPPY99.EXE
If you are connected to Internet through LAN (i.e. in the office or cable
modem), you need to do the following:
1. From the Start menu, select shutdown-restart in MS DOS mode
2. type CD \windows\system when DOS prompt (C:\)appears
3. type RENAME WSOCK32.DLL WSOCK32.BAK
4. type RENAME WSOCK32.SKA WSOCK32.DLL
5. type DEL SKA.EXE
6. type DEL SKA.DLL
Safe Computing:
This worm and other trojan-horse type programs demonstrate the need to
practice safe computing. One should not execute any executable-file
attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email
or
a newsgroup article from an untrusted source.
Norton AntiVirus users can protect themselves from this virus by
downloading
the current virus definitions either through LiveUpdate or from the
following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Raul K. Elnitiarta
March 2, 1999
----------------------------------------------------------
Steve Albertson
ONE/Northwest
'Online Networking for the Environment'
1601 2nd Avenue, Suite 605
Seattle, WA 98101
Email: stevea at onenw.org
Phone: 206-448-1008
Fax: 206-448-7222
Web: http://www.onenw.org
--part1_922174691_boundary--
--part0_922174691_boundary--
--
-Hector Gonzalez- bb268 at scn.org
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list