According to IBM: http://www.av.ibm.com/BreakingNews/VirusAlert/Happy/ We have yet another reason for you not to run programs that you get unexpectedly from the Net, even if they seem to be from someone you trust. The Ska worm uses the Net directly to send itself from system to system, so if your friend's system is infected, the worm will send a copy of itself to you every time your friend sends you mail; if you receive and execute it, your system will become infected, while the worm distracts you with a little fireworks graphic. (See this page <http://www.symantec.com/avcenter/venc/data/happy99.worm.html> at Symantec for the technical details, and how to recover if you're infected.) Ska also hitches a ride on Newgroup postings, so if someone posts to a newsgroup from an infected system, the worm will post a copy of itself in that person's name, to the same newsgroup, and anyone who receives and executes it will become infected. So binaries downloaded from newsgroups, even if they seem to be posted by legitimate members of the community, should be treated with suspicion. Ska is a relatively non-threatening example of this sort of network worm; it has no destructive payload (although due to bugs it will sometimes effectively cut off an infected computer from the network), and it's easy to spot (it always sends itself as an executable program called HAPPY99.EXE). But more sophisticated strategies, and more destructive payloads, are entirely possible. As usual, we stress not running any program that you receive unexpectedly from the network; in today's lesson, we expecially stress that this is true even if the program seems to come from someone you trust. The mail could have been forged, the trusted person's account could have been stolen, or, as in the case of HAPPY99.EXE, the nasty program could have sent itself to you itself, without the knowledge of the trusted person whose system is infected. (Two more notes: to add to the confusion, warnings about Ska/HAPPY99.EXE have started to circulate which, like the classic "Good Times" and "Join the Crew" hoaxes, claim that HAPPY99.EXE will destroy your system even if you just open the mail. This is not true; you have to run the executable for the worm to get control, and in any case your system is not destroyed. Also, there is some controversy over whether Ska is "really a virus", "really a worm", or both, or neither. We think that people who argue endlessly about this sort of issue clearly have too much time on their hands. Ska is a replicating thing that spreads from machine to machine without the permission of the owners of the machines. Things that do that are bad; we call them "viruses". We generally use "worm" to refer to a replicating thing that consists of a self-sufficient program that spreads actively across the Net, but we also think it's not worth arguing too much about the distinction. See the Things that go Bump in the Net <http://www.research.ibm.com/massive/bump.html> page for more thoughts, and more colorful terms.) Jeremy Hartmann Associate Programmer/Analyst Axiom Electronics, Inc. Axiom Electronics, Inc, 3003 SW 153rd Drive Beaverton, OR 97006 Phone: (503)350-4991 Fax: (503)641-0572 ################################################################ TechNet E-Mail Forum provided as a free service by IPC using LISTSERV 1.8c ################################################################ To subscribe/unsubscribe, send a message to [log in to unmask] with following text in the body: To subscribe: SUBSCRIBE TechNet <your full name> To unsubscribe: SIGNOFF TechNet ################################################################ Please visit IPC's web site (http://www.ipc.org) "On-Line Services" section for additional information. For technical support contact Hugo Scaramuzza at [log in to unmask] or 847-509-9700 ext.312 ################################################################