TECHNET Archives

March 1999

TechNet@IPC.ORG

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Jeremy Hartmann <[log in to unmask]>
Reply To:
TechNet E-Mail Forum.
Date:
Mon, 15 Mar 1999 06:36:40 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (69 lines)
According to IBM:  http://www.av.ibm.com/BreakingNews/VirusAlert/Happy/

We have yet another reason for you not to run programs that you get
unexpectedly from the Net, even if they seem to be from someone you trust.
The Ska worm uses the Net directly to send itself from system to system, so
if your friend's system is infected, the worm will send a copy of itself to
you every time your friend sends you mail; if you receive and execute it,
your system will become infected, while the worm distracts you with a little
fireworks graphic. (See this page
<http://www.symantec.com/avcenter/venc/data/happy99.worm.html> at Symantec
for the technical details, and how to recover if you're infected.) Ska also
hitches a ride on Newgroup postings, so if someone posts to a newsgroup from
an infected system, the worm will post a copy of itself in that person's
name, to the same newsgroup, and anyone who receives and executes it will
become infected. So binaries downloaded from newsgroups, even if they seem
to be posted by legitimate members of the community, should be treated with
suspicion.
Ska is a relatively non-threatening example of this sort of network worm; it
has no destructive payload (although due to bugs it will sometimes
effectively cut off an infected computer from the network), and it's easy to
spot (it always sends itself as an executable program called HAPPY99.EXE).
But more sophisticated strategies, and more destructive payloads, are
entirely possible. As usual, we stress not running any program that you
receive unexpectedly from the network; in today's lesson, we expecially
stress that this is true even if the program seems to come from someone you
trust. The mail could have been forged, the trusted person's account could
have been stolen, or, as in the case of HAPPY99.EXE, the nasty program could
have sent itself to you itself, without the knowledge of the trusted person
whose system is infected.
(Two more notes: to add to the confusion, warnings about Ska/HAPPY99.EXE
have started to circulate which, like the classic "Good Times" and "Join the
Crew" hoaxes, claim that HAPPY99.EXE will destroy your system even if you
just open the mail. This is not true; you have to run the executable for the
worm to get control, and in any case your system is not destroyed. Also,
there is some controversy over whether Ska is "really a virus", "really a
worm", or both, or neither. We think that people who argue endlessly about
this sort of issue clearly have too much time on their hands. Ska is a
replicating thing that spreads from machine to machine without the
permission of the owners of the machines. Things that do that are bad; we
call them "viruses". We generally use "worm" to refer to a replicating thing
that consists of a self-sufficient program that spreads actively across the
Net, but we also think it's not worth arguing too much about the
distinction. See the Things that go Bump in the Net
<http://www.research.ibm.com/massive/bump.html> page for more thoughts, and
more colorful terms.)


Jeremy Hartmann
 Associate Programmer/Analyst
  Axiom Electronics, Inc.

Axiom Electronics, Inc,
3003 SW 153rd Drive
Beaverton, OR 97006
Phone: (503)350-4991
Fax: (503)641-0572

################################################################
TechNet E-Mail Forum provided as a free service by IPC using LISTSERV 1.8c
################################################################
To subscribe/unsubscribe, send a message to [log in to unmask] with following text in the body:
To subscribe:   SUBSCRIBE TechNet <your full name>
To unsubscribe:   SIGNOFF TechNet 
################################################################
Please visit IPC's web site (http://www.ipc.org) "On-Line Services" section for additional information.
For technical support contact Hugo Scaramuzza at [log in to unmask] or 847-509-9700 ext.312
################################################################


ATOM RSS1 RSS2