i'm not sure if that's an apropriate reaction, since the .exe file was not
knowingly being sent (that's what the virus does) and i must say, that he
probably saved my from sending it to 20,000 people (the collective number
of people on all the mailing lists i'm on) by his fast "heads up here's
what happened" action.
2 people got it from me, and it has been squashed on my system, and any
system i sent it to. this branch is clear.
>Just fishin' from my wrote:
>
>> also, it creates a file called liste.ska in windows system, this will be a
>> list of those people the virus has sent itself to.
>> -dd
>>
>> Happy99.Worm
>> VirusName: Happy99.Worm
>> Aliases: Trojan.Happy99, I-Worm.Happy
>> Likelihood: Common
>> Region Reported: US, Europe
>> Keys: Trojan Horse, Worm
>>
>> Description:
>>
>> This is a worm program, NOT a virus. This program has reportedly been
>> received through email spamming and USENET newsgroup posting. The file is
>> usually named HAPPY99.EXE in the email or article attachment.
>>
>> When being executed, the program also opens a window entitled "Happy New
>> Year 1999 !!" showing a firework display to disguise its other actions. The
>> program copies itself as SKA.EXE and extracts a DLL that it carries as
>> SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
>> WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.SKA.
>>
>> WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
>> modification to WSOCK32.DLL allows the worm routine to be triggered when a
>> connect or send activity is detected. When such online activity occurs, the
>> modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
>> a new article with UUENCODED HAPPY99.EXE inserted into the email or
>> article. It then sends this email or posts this article.
>>
>> If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
>> online), the worm adds a registry entry:
>>
>>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
>>
>> The registry entry loads the worm the next time Windows start.
>>
>> Removing the worm manually:
>>
>> 1.delete WINDOWS\SYSTEM\SKA.EXE
>> 2.delete WINDOWS\SYSTEM\SKA.DLL
>> 3.replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
>> 4.delete the downloaded file, usually named HAPPY99.EXE
>>
>> and there you have it.
>> -dd
>>
>> \\\\\//
>> \\|// _\\|//_ | | _\\|//_ \\|//
>> (@ @) (' 0-0 ') (.) (.) (' @-@ ') (o-o)
>> +-=oOOo-(_)-oOOo=oo0=(_)=0oo=oOO=-(_)-=OOo=oo0=(_)=0oo=oOOo-(_)-oOOo=-+
>> Plazma Networking Services / Level Seven inc.
>> Connecting the World....
>> http://www.plazma.net http://www.L7.net http://www.L7.org
/"\
>> Olympia's "one stop" InterNetworking Provider 1 (360) 357 - 7315 \ /
>> +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ X
>> ASCII Ribbon campaign against HTML E-Mail >- - - - - - - - - - - - - -> / \
>>
>> ===
>> To unsubscribe from the mil-veh mailing list, send the single word
>> UNSUBSCRIBE in the body of a message to <mil-veh-request@skylee.com>.
>
>
\\\\\//
\\|// _\\|//_ | | _\\|//_ \\|//
(@ @) (' 0-0 ') (.) (.) (' @-@ ') (o-o)
+-=oOOo-(_)-oOOo=oo0=(_)=0oo=oOO=-(_)-=OOo=oo0=(_)=0oo=oOOo-(_)-oOOo=-+
Plazma Networking Services / Level Seven inc.
Connecting the World....
http://www.plazma.net http://www.L7.net http://www.L7.org /"\
Olympia's "one stop" InterNetworking Provider 1 (360) 357 - 7315 \ /
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ X
ASCII Ribbon campaign against HTML E-Mail >- - - - - - - - - - - - - -> / \
===
To unsubscribe from the mil-veh mailing list, send the single word
UNSUBSCRIBE in the body of a message to <mil-veh-request@skylee.com>.