LISTSERV - TECHNET Archives - LISTSERV.IPC.ORG

TECHNET Archives

February 1999

TechNet@IPC.ORG

	LISTSERV Archives
	TECHNET Home
	TECHNET February 1999

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Virus Alert
From:	James Patten <[log in to unmask]>
Reply To:	TechNet E-Mail Forum.
Date:	Fri, 12 Feb 1999 08:32:29 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (104 lines)

Generally the protocol for reporting virus' (is it viri for plural?) is to
contact your Web Master. I suppose on a listserv where the message is
printed to many, it's okay. What happens is everyone in a company starts
mailing everyone else in the company, using their company wide address book.
What you get is a massive mailing to each other...sort of a pyramid effect.
Probably don't want that or the virus.

-----Original Message-----
From: Stephen R. Gregory [mailto:[log in to unmask]]
Sent: Thursday, February 11, 1999 7:04 PM
To: [log in to unmask]
Subject: Re: [TN] Virus Alert

In a message dated 2/11/99 6:19:26 PM Pacific Standard Time,
[log in to unmask] writes:

> > hey.... i got the following excerpt from  the company information
> technology
>  > department.... i decided that this was important enough to forward on
to
> all of
>  > you.... please pass on the info.... Rob
>  >
>  > Virus Alert...

Hey guys, this one's real. It's one of them "Trojan Horse" type viruses that
are the rage now with hackers. It brings what's called an "internet worm" in
with it. Originally distributed on newsgroups in January...some people ain't
got nothing better to do. Too bad...I bet there's a lot of companies that
would like to have these guys working for them IF, and that's a big IF, they
could confine themselves to doing something other than creating viruses...oh
well. Below is what was posted on the McAfee WEB page...

-Steve Gregory-

                                HOT NEWS
             A NEW WINDOWS INTERNET WORM SPREADS
A file called HAPPY99.EXE which is infected with the Win32/Ska.A Internet
worm, is being distributed worldwide

Please refer to the Update page for the 'disinfection routine' for this
trojan.
                NAME: Win32/Ska.A
                ALIAS: Happy99, WSOCK32.SKA, SKA.EXE
                SIZE: 10000

Win32/Ska.A is a Win32-based virus. It displays a firework when executed.
When
executed it creates files SKA.EXE and SKA.DLL. Then it patches WSOCK32.DLL
so
that it export entries for two functions will point to a new address at the
end of text section. The original WSOCK32.DLL is saved in the system
directory
as WSOCK32.SKA. If WSOCK32.DLL is in use, Ska.A modifies the registry's
RunOnce entry to execute SKA.EXE during next boot-up so it then gets loaded
before
WSOCK32.DLL.

"Connect" and "Send" exports are patched in WSOCK32.DLL. That way the virus
is
able to see if the local user has any activity on network. When "Connect" or
"Send" is called, the virus loads its SKA.DLL which has two exports: "news"
and "mail".

Then it seems to spam itself (SKA.EXE) to the same newsgroups and same
e-mail
addresses where the user was posting or mailing to. Therefore it is not
limited like Win32/Parvo which is unable to use a a particular news server
when the user does not have access for it. The virus also maintains a list
of
newsgroups it has posted a copy of itself. This is stored in a file called
LISTE.SKA.

A file called HAPPY99.EXE which was infected with this virus was distributed
to many news servers in January 1999.

################################################################
TechNet E-Mail Forum provided as a free service by IPC using LISTSERV 1.8c
################################################################
To subscribe/unsubscribe, send a message to [log in to unmask] with following
text in the body:
To subscribe:   SUBSCRIBE TechNet <your full name>
To unsubscribe:   SIGNOFF TechNet
################################################################
Please visit IPC's web site (http://www.ipc.org) "On-Line Services" section
for additional information.
For technical support contact Hugo Scaramuzza at [log in to unmask] or
847-509-9700 ext.312
################################################################

################################################################
TechNet E-Mail Forum provided as a free service by IPC using LISTSERV 1.8c
################################################################
To subscribe/unsubscribe, send a message to [log in to unmask] with following text in the body:
To subscribe:   SUBSCRIBE TechNet <your full name>
To unsubscribe:   SIGNOFF TechNet 
################################################################
Please visit IPC's web site (http://www.ipc.org) "On-Line Services" section for additional information.
For technical support contact Hugo Scaramuzza at [log in to unmask] or 847-509-9700 ext.312
################################################################

ATOM RSS1 RSS2

LISTSERV.IPC.ORG