Virus Alert! (was: [alberg30] M320b)
George Dinwiddie
gdinwiddie at min.net
Fri Jun 16 18:30:04 PDT 2000
This message contained the Happy99 virus. Do not run the attachment.
Peter Amos wrote:
>
> begin 644 Happy99.exe
[snip]
>From http://www.nsclean.com/psc-h99.html :
SYNOPSIS:
The Happy99.exe trojan will arrive attached to an email to you. It may
even have been sent to you by a trusted, close
friend. THE PERSON WHO EMAILED YOU THE HAPPY99.EXE TROJAN DOES NOT HAVE
ANY IDEA THAT THE
EMAIL WAS SENT TO YOU because Happy99 sent the email, not the person the
email appears to have been sent by!
The person infested with Happy99 will not know it's there and Happy99
will not let them know that it has sent itself on
along with regular email.
When Happy99 is run after receipt, it will immediately try to MODIFY
your dialup networking/winsock file on your
machine (WSOCK32.DLL). If it is unable to modify the winsock because it
is in use, it will install a registry entry to do
this on the next system reboot as a runonce key in your registry. On
bootup, it will modify the winsock and then
remove the temporary bookmark in your registry. As a result, there will
be no registry entry to remove.
Happy99 will first make a copy of the original Winsock (WSOCK32.DLL)
and copy it to a backup called WSOCK32.SKA
... It will then add an SKA.EXE and an SKA.DLL file which will interact
with your winsock once it has been modified.
Every time you send an email or post to a usenet newsgroup after
infestation, Happy99 will silently send ANOTHER
post to the same party including an attachment of itself as HAPPY99.EXE
in this separate email. Since this email is
generated by Happy99 itself, no copy o fthis email will show in your
email or newsgroup program and thus you will
not have any idea that it is sending emails in your name. Happy99 will
also maintain a list for its own use LISTE.SKA
which Happy99 will check to ensure it doesn't send a second email to
anybody it has already sent a copy of itself to.
Happy99 is the first of its kind - most trojan horses install
themselves as their own program which runs by itself.
Happy99 is the first trojan which MODIFIES another file (your winsock)
to operate. This methodology makes it unique
in that a regular SYSTEM FILE is the method of infestation.
MANUAL REMOVAL OF HAPPY99:
Happy99 can ONLY be removed from a boot directly into DOS. It cannot be
removed while Windows is running as in
most cases, the winsock file is locked by the operating system. Only
trojans seem to be able to modify this file but not
the user.
To remove the trojan and restore your regular winsock, please follow
the following instructions:
1. Shut down your computer. Turn off the power.
2. Power on your computer. As soon as it starts to access the
floppy disk, HOLD DOWN your F8 key.
3. A selector menu will appear which is different for each
version of Windows. Choose the option (usually at the
very bottom of the list which brings up DOS or CONSOLE
in SAFE MODE. This will bypass all existing settings.
DO NOT SELECT RUN WINDOWS. We need to run DOS.
4. You will be deposited at a C:> prompt.
5. We will need to find your system files now. One of the
following commands will get you there (depending on how
your windows system was set up. One of these will work
and move you there, the others will not. The expected
command to get there is listed in the order of its
likelihood. Be sure to hit the enter key at the end of
each line you try until you are at the system folder.
CD\WINDOWS\SYSTEM (hit enter key)
CD\WINNT\SYSTEM32 (hit enter key)
CD\WIN95\SYSTEM (hit enter key)
CD\WIN98\SYSTEM (hit enter key)
The correct one for your computer will toss you a C: prompt
with the same listing as the one you typed in if it is the
correct one. The other attempts will result in either a not
found error or nothing at all.
6. When you are at the system prompt, confirm that you are in
the right place by typing in the following:
DIR WSOCK32.DLL (hit enter key)
Your computer should respond with a line that looks like this:
Volume in drive C is MS-DOS_6
Volume Serial Number is ####-####
Directory of C:\WINDOWS\SYSTEM
WSOCK32 DLL 66,560 07-11-95 9:50a
1 file(s) 66,560 bytes
0 dir(s) 10,190,848 bytes free
Your WSOCK32.DLL file will likely be bigger than the one shown
above. If the above does NOT appear or you receive an error
message, you're not in the system folder yet. Try again.
7. You can find out if Happy99 is on your system by typing in
the following command:
DIR WSOCK32.SKA (hit enter key)
If the Happy99 Trojan has diddled your winsock, you will get
an affirmation that the file exists identical to what you got
when you typed in DIR WSOCK32.DLL before. If you receive "file
not found" then you do NOT have Happy99 on your machine or you
are not in the SYSTEM folder.
8. Once you're in the location where the WSOCK32.DLL file is
located, we now type in the following to remove Happy99:
ATTRIB -r -s -h -a WSOCK32.DLL (hit enter key)
COPY WSOCK32.SKA WSOCK32.DLL (hit enter key)
DEL SKA.EXE (hit enter key)
DEL SKA.DLL (hit enter key)
DEL LISTE.SKA (hit enter key)
If the action is successful, you will just receive another
prompt. If it fails, you'll receive an error message such as
"file not found" or similar. Check your typing and try again.
9. You're done. Happy99 is gone. You can now turn off the machine
and reboot back into windows again.
Use of Privacy Software Corporation's BOClean program will safeguard
against this and over 60 other trojan horse
programs automatically without having to go through all this and without
risk of damage.
COPYRIGHTED MATERIAL:
Copyright (c) 1999 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by
electronic means. It is not to be edited in any way
without the express consent of Privacy Software Corporation. Requests to
reprint this information in whole or in part
should be directed to technology at privsoft.com.
Disclaimer: The information within this advisory may change without
notice and is provided by Privacy Software
Corporation AS IS. No warrantees, express or implied, are provided with
respect to this information nor should any be
construed by the transmission of this information. Any use of this
information or its recommendations is solely at the
risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com,
http://www.nsclean.com, email to
technology at privsoft.com. Copies of the Happy99.exe distribution as
captured by Privacy Software Corporation will
only be provided to recognized security interests and responsible,
recognized members of the press with the technical
capability to conduct independent research on this trojan horse program
or in the alternative, we will provide the URL
where the programs can be obtained independently. Copies will NOT be
provided by us to any other parties. Privacy
Software Corporation reserves the right to refuse transmission without
further explanation. Under the provisions of
Privacy Software Corporation's customer and website privacy policies, we
cannot divulge email from our customers
regarding their experiences with these trojan horse programs nor can we
divulge their identities under any
circumstances.
Free updates are available to existing BOClean customers of Privacy
Software Corporation to include coverage of this
new trojan horse exploit. Copies of BOClean 3.02 already contain these
updates. BOClean customers should visit the
BOClean support page at http://www.nsclean.com/supboc.html for further
details.
------------------------------------------------------------------------
Savings + service + convenience = beMANY!
http://click.egroups.com/1/4116/8/_/476031/_/961205109/
------------------------------------------------------------------------
961205404.0
More information about the Public-List
mailing list