Link To NASCAR Site Official Home Page Of R&B Motorsports Link To NASCAR Site
Main Page Main Page
The Team The Team
Tha Cars The Cars
The Sponsors The Sponsors
Links Links
Standings Standings
Internet Stuff Internet Stuff
Webrings Webrings
Sign Our Guestbook Sign Our Guestbook
View Our Guestbook Read Our Guestbook
Send Us E-mail Send Us E-Mail
These Instructions Downloaded From :

Virus Alert! -happy99

Modern Internet Worm discovered. It goes by the name of Happy99
This computer worm is a kind of virus programs that does not affect files to spread its copies, but just sends itself to the Internet as an attachment in e-mail messages.

The worm arrives as an attachment in e-mails as a HAPPY99.EXE file.
Note:the affected sender does know that the worm attaches to emails on sending.




When an infected attachment is executed and gets control, the worm displays a simulated fireworks display in a window to hide its malicious nature. During that time, it installs itself into the system, hooks into the Internet Subsystem of your Windows Installation, and waits for you to send an email. When you send an email, it intercepts the sending function, and re-sends a copy of the same email to the same recipient, attaching itself to the second email. This is done without the senders knowledge.

and As a result the worm installed on your system is able to spread copies of itself to all the address' that you mail email to.

Removal and Protection

If the worm is detected in your system you can easy get rid of it just by deleting SKA.EXE and SKA.DLL files in the system Windows directory.(steps for this are included below) You also should delete the WSOCK32.DLL file and replace it with WSOCK32.SKA original file. The original HAPPY99.EXE file should be also located and deleted.

To protect your computer from re-infection you need just to set Read-Only attribute for the WSOCK32.DLL file. The worm does not pay attention to Read-Only mode, and fails to patch the file.

This trick was discovered by Peter Szor at DataFellows http://www.datafellows.com

Steps for Removal

  • Once you are satisfied that all happy99 messages are deleted from your email inbox, then close down your computer. At this point, you have two choices- Throw it out, or, restart it.
  • You must restart in dos mode, for you cannot make these changes in windows-
  • To do this:
  • click on the start button, and click find->files and search for SKA.* - 2 files should show up, SKA.EXE and SKA.DLL. - write down the path that shows up with them. (usually c:\windows\system)
  • Again use the find tool to find a file called WSOCK32.* - it should return 2 again, one called WSOCK32.DLL and one called WSOCK32.SKA. - again write down the path and names of these files.
  • Make sure you have your windows95/98 CD handy, as you will need to re-install to effect the fix (do not re-install yet).
  • Click shutdown, and restart in dos mode
  • Enter the following commands:
    • cd (usually cd c:\windows\system)
    • Delete by typing "del SKA.DLL"
    • del SKA.EXE
    • cd (ie cd c:\windows\system)
    • del WSOCK32.DLL
    • del WSOCK32.SKA
    • We had several of these files named this way.
    • Delete each and everyone that has that name.
  • After completeing these commands, reboot to windows, and re-install windows.
  • After re-installing windows, use the find tool to locate WSOCK32.DLL.
  • use your mouse to right click on the file named WSOCK32.DLL in the find interface.
  • When you find it, click on "properties"
  • make sure that the "read only" box is checked, click OK and re-boot. This will kill any future incoming virus's of that nature!

Things to Remember

What ever you do, do not open and do not execute the HAPPY99.EXE file that you have received as an attach in any message ever, even if you get it from trusted source.

You should also remember: The files that you have got from the Internet can contain malicious code that may infect your computer, destroy the data, send confidential files to the Internet, or install spy programs to monitor your computer from a remote host.

Opening MS Office files with disabled VirusProtection and executing untrusted executable files is extremely risky. You should remember about that each time you see an attachment in an incoming message.

Technical Details

While installing the worm copies itself to the Windows system directory with the name SKA.EXE, and drops an additional SKA.DLL file in the same directory.
The worm then copies the WSOCK95.DLL to WSOCK95.SKA (ie: makes a "backup") and patches the WSOCK95.DLL file with it's malicious code.
If the WSOCK32.DLL is in use and cannot be opened for writing, the worm creates a new key in the system registry to run its dropper routine when you next reboot. 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=S
KA.EXE

The WSOCK32.DLL patch consists of a worm initialization routine and two redirected exports. The initialization routine is just a small piece of worm code - just 202 bytes. It is saved to the end of WSOCK32.DLL code section (".text" section). The WSOCK95.DLL has enough of space for that, and the size of WSOCK32.DLL does not increased during infection.
Then the worm patches the WSOCK32.DLL export tables so that two functions ("connect" and "send") will point to the worm initialization routine at the end of WSOCK32.DLL code section.
When a user is connecting to the Internet the WSOCK32.DLL is activated, and the worm hooks two events: connection and data sending. The worm monitors the nntp and email ports (25 and 119).
When it detects connection by one of these ports, it loads its SKA.DLL library that has two exports: "mail" and "news".
Depending on the port number the worm calls one of these routines, but both of them create a new message, insert UUencoded worm HAPPY99.EXE dropper into it, and send to the Internet address.

Disclaimer

This information is provided on an as is, NO WARRANTY basis. Although every care is taken to ensure validity and accuracy, the authors , Moto-Mania Racing and R&B Motorsports make no warranty as to the suitability or accuracy of this document.
Use of the information herein, absolves the above, and all their subsidaries/partners & employees and any other affiliated bodies, of any wrongdoing, Loss of data, or other damages that may occur as a direct, or indirect result of following these instructions.
IF YOU FOLLOW THESE INSTRUCTIONS and something goes wrong, IT IS NOT OUR RESPONSIBILITY



Racing Links Network


Top Of Page

Another Website By