Hallo Meine Tochter hat ne Mail(mit anhang) gekriegt und wir haben sie geöffnet:Der Name der Datei war Happy 99.exe.Sietdem habe ich das Gefühl irgendwo in meinen System ist der Wurm drin.Könnte es vielleicht ein Trojanisches Pferd sein?????Hat jemand schon mal davon gehört?Vielen Dank im voraus.Eddy ((Anonym))
Antwort:
Happy99 ist ein nachfolger von Melissa, er verschickt an alle Adressaten, die in deinem Adreßbuch vermerkt sind, irgendwelche E-Mails, die happy99 enthaolten.
Nur zur groben Information (bitte nachprüfen): Das Virus benennt die winsock um in eine Datei (ska oder so ähnlich). Ich glaube, man muß die Datei, die jetzt bei dir winsock heißt, löschen (besser: in ein anderes Verzeichnis verschieben oder umbenennen) und die ska-Datei in winsock (oder wie sie genau heißt) umbenennen. So ungefähr müßte es gehen, finde die Site nicht mehr, wo die Prozedur beschrieben ist. Suche einfach auf der Homepage von Herstellern v. Antiviren-Software nach happy99, dort sollte es schon beschrieben sein.
lg
C
(Carnap)
Antwort:
Hab doch noch was gefunden:
F-Secure Virus Information Pages
NAME:
Ska
ALIAS:
Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA, Happy
SIZE:
10000
Win32/Ska.A is a Win32-based e-mail and newsgroup worm. It displays fireworks when
executed first time as Happy99.exe. (Normally this file arrives as an e-mail attachment
to a particular PC, or it is downloaded from a newsgroup.)
When the Happy99.exe file has been executed, every e-mail and newsgroup posting
sent from the machine will cause a second message to be sent. This will contain the
same sender and recipient information but contains no text, just the Happy99.exe file
itself as an attachment.
Since people will usually receive Happy99.exe from someone they know (as you
normally get e-mail from someone you know), people tend to trust this attachment, and
run it.
When executed first time, it creates SKA.EXE and SKA.DLL in the system directory.
SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE. After this
Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the system directory.
Then it tries to patch WSOCK32.DLL so that its export entries for two functions will
point to new routines (to the worm's own functions) inside the patched WSOCK32.DLL.
If WSOCK32.DLL is in use, Ska.A modifies the registry's RunOnce entry to execute
SKA.EXE during next boot-up. (When executed as SKA.EXE it does not display the
firework, just tries to patch WSOCK32.DLL until it is not used.)
"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able to
see if the local user has any activity on network. When "Connect" or "Send" APIs are
called, Ska loads its SKA.DLL containing two exports: "news" and "mail".
Then it spams itself to the same newsgroups or same e-mail addresses where the user
was posting or mailing to. It maps SKA.EXE to memory and converts it to uuencoded
format and mails an additional e-mail or newsgroup post with the same header
information as the original message but containing no text but just an attachment called
Happy99.exe.
Therefore Happy99 is not limited like the Win32/Parvo virus which is unable to use a
particular news server when the user does not have access to it. The worm also
maintains a list of addresses it has posted a copy of itself. This is stored in a file called
LISTE.SKA. (The number of entries are limited in this file.)
The worm contains the following encrypted text which is not displayed:
Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999.
The mail header of the manipulated mails will contain a new field called "X-Spanska:
YES". Normally this header field is not visible to receivers of the message.
Since the worm does not check WSOCK32.DLL's attribute, it can not patch it if it is set
to read only.
Please note that after disinfection of this worm you will have to rename WSOCK32.SKA
back to WSOCK32.DLL in \WINDOWS\SYSTEM folder to restore all original Winsock
internet capabilities.
Happy99 does not replicated under Windows NT.
lg
Beatrice
(Anonym)
