 
| Subject: | |
| From: | |
| Reply To: | TechNet E-Mail Forum. |
| Date: | Sun, 14 Mar 1999 17:15:43 +0600 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Hi Technetters
Follow the instruction to remove the virus. Hopefully it will work.
Delighted to serve the technetters.
i) In Windows 95 Explorer look for the files called SKA. If you do
not find them the virus is not there but I am sure it
is.
(ii) In Windows 95 Click "Start" and then "Shut down", then click on
"Restart in MS DOS mode."
(iii) On restart you can move around the system on standard DOS
commands.
These are cd windows to move to windows
cd system to move to system in windows
dir/p to check the directory one
page at a time, pressing <enter> will display the next page
cd .. to move back one directory
del <filename> to delete a named file, it
should have the name and extension
ren wsock32.ska wsock.dll will rename
the file.
The following set of instructions were provided to me by a consultant
who had also been sent the virus in error and should
be read thoroughly before starting work on the deletion. They provide
the exact names of files and the sequence in which
to do it.
The worm infects a system via email delivery and arrives as an
attachment called Happy99.EXE. It is sent unknowingly by a user. When
the program is run it deploys its payload displaying fireworks on the
users monitor. When the Happy.EXE is run it copies itself to
Windows\System folder under the name SKA.EXE. It then extracts, from
within itself, a DLL called SKA.DLL into the Windows\System folder if
one does not already exist. Note: Though the SKA.EXE file file is a
copy of the original it does not run as the Happy.EXE files does, so it
does not copy itself again, nor does it display the fireworks on the
users monitor. The worm then checks for the existence of WSOCK32.SKA in
the Windows\System folder, if it does not exist and a the file
WSOCK32.DLL does exist, it copies the SOCK32.DLL to WSOCK32.SKA. The
patched code calls two exported functions in SKA.DLL called mail and
news, these functions allow the worm to attach itself to SMTP e-mail
and also to any postings to newsgroups the user makes.
To remove the virus worm do the following:- do the below in dos, not
in windows 95/98, as in windows 95/98 uses the wsock32.dll file and
will not let you delete the file.
1. find and delete SKA.exe , liste.ska and SKA.dll
2 delete wsock32.dll
3 rename wsock32.ska to wsock32.dll Problem solved.
******************************************************************
* *
* Syed Arif Mahmud *
* Business Development Manager *
* *
* Asia Pacific Regional Office: Corporate Office: *
* Sena Kalyan Bhaban (7th Floor) 34 South Broadway *
* 195 Motijheel C/A 6th Floor *
* Dhaka 1000 White Plains, NY 10601-4400 *
* Bangladesh USA *
* Phone: 880-2-9565131,880-2-9565132,880-2-871014 (Res) *
* Fax: 880-2-9565127,880-2-9565130 *
* Email: [log in to unmask] *
* *
******************************************************************
################################################################
TechNet E-Mail Forum provided as a free service by IPC using LISTSERV 1.8c
################################################################
To subscribe/unsubscribe, send a message to [log in to unmask] with following text in the body:
To subscribe: SUBSCRIBE TechNet <your full name>
To unsubscribe: SIGNOFF TechNet
################################################################
Please visit IPC's web site (http://www.ipc.org) "On-Line Services" section for additional information.
For technical support contact Hugo Scaramuzza at [log in to unmask] or 847-509-9700 ext.312
################################################################
|
|
|
