IMPORTANT NOTICE - EVERYONE READ THIS NOW!

Dan York ( danyork@lyghtforce.com )
Fri, 29 Jan 1999 18:30:48 -0600

There is a virus "Worm" attachment named Happy99.exe that has been making
the rounds over the few weeks on mailing lists and news groups.

The file is small enough (10kb) to make it through the size limitation of
files sent over this list. The Happy99.exe Worm Virus has shown up on two
other mailing lists that I host on the server.

If you see the file Happy99.exe do not open it. Simply erase it from your
computer.

Information about the Worm Virus is included with this warning.

There is an article about this at: http://www.msnbc.com/news/235662.asp and
I am including another copy of the warning that Gabby Rooteller sent to the
Athena list after the worm virus was sent there. The information that Gabby
sent and the article on MSNBC are almost identical.

If you have this Worm on your computer you can use the information about
file names to go through your computer to manually remove the files it has
created.

Dan York

---------------------------------------------------------
The Happy99.exe file has been making its rounds of the
email lists, effectively shutting some of them down. If you open it, it
situates itself in your hard drive and attaches itself to outgoing
messages without your ok. This will really irritate list members and
owners, because it shows up as an attachment that unsuspecting members
might open (hence perpetuating the virus cycle), or shows up in some
programs as a huge piece of irritating code.
__________
Here's some information about it:
http://www.Europe.Datafellows.com/v-descs/ska.htm

NAME: Win32/Ska.A
ALIAS: Happy99, WSOCK32.SKA, SKA.EXE
SIZE: 10000
Win32/Ska.A is a Win32-based virus. It displays a firework when
executed.
When executed it creates files SKA.EXE and SKA.DLL. Then it
patches WSOCK32.DLL so that it export entries for two functions
will point to a new address at the end of text section. The original
WSOCK32.DLL is saved in the system directory as
WSOCK32.SKA. If WSOCK32.DLL is in use, Ska.A modifies the
registry's RunOnce entry to execute SKA.EXE during next boot-up
so it then gets loaded before WSOCK32.DLL.
"Connect" and "Send" exports are patched in WSOCK32.DLL. That
way the virus is able to see if the local user has any activity on
network. When "Connect" or "Send" is called, the virus loads its
SKA.DLL which has two exports: "news" and "mail".
Then it seems to spam itself (SKA.EXE) to the same newsgroups
and same e-mail addresses where the user was posting or mailing
to. Therefore it is not limited like Win32/Parvo which is unable to
use a a particular news server when the user does not have access
for it. The virus also maintains a list of newsgroups it has posted a
copy of itself. This is stored in a file called LISTE.SKA.
A file called HAPPY99.EXE which was infected with this virus was
distributed to many news servers in January 1999.
[Peter Szor, Data Fellows]
All viruses listed in the Virus description pages can be
detected and removed with Data Fellows Anti-virus and Data
Security software.