Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Qualcomm Incorporated (QCOM) -- Ignore unavailable to you. Want to Upgrade?

To: LindyBill who wrote (31582)	6/3/1999 3:29:00 AM
From: Maurice Winn	Read Replies (1) \| Respond to of 152472

OT Virus Lindy, that was what the Austrian UN Secretary General claimed too! I forget his name now. But he looked handsome in his SS uniform. He was busy in the Balkans - I suppose Kosovo no less but claimed to have only been in charge of lists or something. Mqurice PS: Look what I got today! First virus I've had since the marijuana virus about a decade ago. Yes, I opened the stupid thing. I also opened the stupid frog in a blender which John Cuthbertson kindly warned us about and I now take seriously. From now on I only open things sent from Microsoft or Qualcomm. From: totaltel@total.emap.com Received: from kirk.emap.com (ebc-fw-02.kirk.emap.com [194.72.190.69]) by mx2.ihug.co.nz (8.9.3/8.9.3) with ESMTP id GAA26556 for <mqurice@ihug.co.nz>; Thu, 3 Jun 1999 06:32:42 +1200 Received: from total.emap.com ([10.11.6.141]) by ebc-fw-02.kirk.emap.com with SMTP id <29878>; Wed, 2 Jun 1999 18:31:35 +0000 Reply-To: totaltel@total.emap.com To: mqurice@ihug.co.nz Subject: Total Telecom - "virus" warning Message-Id: <99Jun2.183135gmt.29878@ebc-fw-02.kirk.emap.com> Date: Wed, 2 Jun 1999 18:31:35 +0000 X-UIDL: ,?;e9YIQ!!\%fd9Ple!! Dear Total Telecom subscriber, You will have noticed that yesterday's Total Telecom e-mail bulletin appeared twice in your e-mail intray, one of these mails contained the file Happy99.exe which is a "Trojan Horse" or "Worm" programme. Please accept my apologies for this unfortunate occurence - we have reviewed our anti-virus safeguards to ensure that this will not happen again. The program infects Windows 95 and Windows 98 PCs. To avoid infection, do not run the Happy.exe program and delete the copy of the e-mail containing Happy.exe file. The other e-mail, containing the Total Telecom news headlines is perfectly safe to read and access. Happy.exe is generally more of an annoyance than a positive threat. However once infected, a machine will attach a copy of happy.exe to any e-mail that is sent out. It is important, therefore to remove any infection before sending e-mails. As long as you have not run the Happy.exe application, your computer will not have been infected, and you need take no further action. If you have run the program (it opens a window entitled "Happy New Year 1999 !!" showing a firework display) your machine may well have become infected. All up-to-date versions of the popular PC virus protection programs will detect and remove Happy.exe. If you do not have one of these however, it is possible to remove it manually. I have included instructions below. Since they are fairly technical and cumbersome, I suggest that you consult your IT support department if you are in any doubt, showing them this message. Once again, our apologies for any inconvenience caused. I hope you continue to find Total Telecom a valuable news resource. Yours faithfully Christopher Rose, on behalf of the Total Telecom team Executive Editor CommunicationsWeek International 33-39 Bowling Green Lane London EC1R 0DA +44 171 505 8645 chrisr@cwi.emap.com ------------ The following description of Happy.exe have been taken from: symantec.com Happy99.Worm VirusName: Happy99.Worm Aliases: Trojan.Happy99, I-Worm.Happy Likelihood: Common Region Reported: World Wide Characteristics: Trojan Horse, Worm ----------- Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article. If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: EEEHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE The registry entry loads the worm the next time Windows start. ----------- Removing the worm manually: 1. delete WINDOWS\SYSTEM\SKA.EXE 2. delete WINDOWS\SYSTEM\SKA.DLL 3. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL 5. delete the downloaded file, usually named HAPPY99.EXE Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e. through dial-up or LAN connection). If you are using dial-up connection (i.e. America Online), you need to do the following: 1. terminate internet connection 2. delete WINDOWS\SYSTEM\SKA.EXE 3. delete WINDOWS\SYSTEM\SKA.DLL 4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK 5. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL 6. delete the downloaded file, usually named HAPPY99.EXE If you are connected to Internet through LAN (i.e. in the office or cable modem), you need to do the following: 1. From the Start menu, select shutdown-restart in MS DOS mode 2. type CD \windows\system when DOS prompt (C:\)appears 3. type RENAME WSOCK32.DLL WSOCK32.BAK 4. type RENAME WSOCK32.SKA WSOCK32.DLL 5. type DEL SKA.EXE 6. type DEL SKA.DLL ----------- Safe Computing: This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article from an untrusted source. Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage: symantec.com Write-up by: Raul K. Elnitiarta March 2, 1999