LISTSERV - TECHNET Archives - LISTSERV.IPC.ORG

TECHNET Archives

February 1999

TechNet@IPC.ORG

	LISTSERV Archives
	TECHNET Home
	TECHNET February 1999

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Virus Alert
From:	"Stephen R. Gregory" <[log in to unmask]>
Reply To:	TechNet E-Mail Forum.
Date:	Thu, 11 Feb 1999 22:04:21 EST
Content-Type:	text/plain
Parts/Attachments:	text/plain (69 lines)

In a message dated 2/11/99 6:19:26 PM Pacific Standard Time,
[log in to unmask] writes:

> > hey.... i got the following excerpt from  the company information
> technology
>  > department.... i decided that this was important enough to forward on to
> all of
>  > you.... please pass on the info.... Rob
>  >
>  > Virus Alert...

Hey guys, this one's real. It's one of them "Trojan Horse" type viruses that
are the rage now with hackers. It brings what's called an "internet worm" in
with it. Originally distributed on newsgroups in January...some people ain't
got nothing better to do. Too bad...I bet there's a lot of companies that
would like to have these guys working for them IF, and that's a big IF, they
could confine themselves to doing something other than creating viruses...oh
well. Below is what was posted on the McAfee WEB page...

-Steve Gregory-

                                HOT NEWS
             A NEW WINDOWS INTERNET WORM SPREADS
A file called HAPPY99.EXE which is infected with the Win32/Ska.A Internet
worm, is being distributed worldwide

Please refer to the Update page for the 'disinfection routine' for this
trojan.
                NAME: Win32/Ska.A
                ALIAS: Happy99, WSOCK32.SKA, SKA.EXE
                SIZE: 10000

Win32/Ska.A is a Win32-based virus. It displays a firework when executed. When
executed it creates files SKA.EXE and SKA.DLL. Then it patches WSOCK32.DLL so
that it export entries for two functions will point to a new address at the
end of text section. The original WSOCK32.DLL is saved in the system directory
as WSOCK32.SKA. If WSOCK32.DLL is in use, Ska.A modifies the registry's
RunOnce entry to execute SKA.EXE during next boot-up so it then gets loaded
before
WSOCK32.DLL.

"Connect" and "Send" exports are patched in WSOCK32.DLL. That way the virus is
able to see if the local user has any activity on network. When "Connect" or
"Send" is called, the virus loads its SKA.DLL which has two exports: "news"
and "mail".

Then it seems to spam itself (SKA.EXE) to the same newsgroups and same e-mail
addresses where the user was posting or mailing to. Therefore it is not
limited like Win32/Parvo which is unable to use a a particular news server
when the user does not have access for it. The virus also maintains a list of
newsgroups it has posted a copy of itself. This is stored in a file called
LISTE.SKA.

A file called HAPPY99.EXE which was infected with this virus was distributed
to many news servers in January 1999.

################################################################
TechNet E-Mail Forum provided as a free service by IPC using LISTSERV 1.8c
################################################################
To subscribe/unsubscribe, send a message to [log in to unmask] with following text in the body:
To subscribe:   SUBSCRIBE TechNet <your full name>
To unsubscribe:   SIGNOFF TechNet 
################################################################
Please visit IPC's web site (http://www.ipc.org) "On-Line Services" section for additional information.
For technical support contact Hugo Scaramuzza at [log in to unmask] or 847-509-9700 ext.312
################################################################

ATOM RSS1 RSS2

LISTSERV.IPC.ORG