Sharechat Logo

Forum Archive Index - October 1999

Please note usage of the Forum is subject to the Terms & Conditions.

 
Messages by Date [ Next by Date Previous by Date ]
Messages by Thread [ Next by Thread Previous by Thread ]
Post to the Forum [ New message Reply to this message ]
Printable version
 

Re: [sharechat] Happy99 Virus....


From: "Rini H" <the4rs@ihug.co.nz>
Date: Sat, 30 Oct 1999 23:05:23 +1300


Hi John,
Do you believe it? I am an avid reader of this forum, I open every message
including the "Happy 1999". The moment I opened it and saw the beautiful
fireworks that has nothing to do with sharechat, I know I'm in trouble!!!!
The next message from Will clearly confirmed that my files are now infected
by those Trojan. My heart sank in the same way as if I saw the share prices
turning down against you.
Thanks to John Redgrave, I quickly follow the instructions to make sure
whether my files were infected.
Yes, I got the first 2 files out these 4 files::
ska.exe
ska.dll
wsock32.ska
and perhaps
liste.ska

I've cleared them all, thanks again to John.
I'm now sending my message back to sharechat as a test that I'm now free of
Trojan.
Oh, oh, what an experience, I can now say what an excellent forum, and what
a lovely group we all are.

Rini


-----Original Message-----
From: John Redgrave <jpredgrave@hotmail.com>
To: sharechat@sharechat.co.nz <sharechat@sharechat.co.nz>
Date: Friday, 29 October 1999 20:22
Subject: [sharechat] Happy99 Virus....


>I have copied this from the net incase it helps anyone...  Don't know if it
>works becuase I didn't open the happy99 file.  Believe it would because I
>trust the source.
>
>http://www.zeuter.com/~tburden/happy99.htm
>
>
>
>The Happy99.exe E-Mail Trojan
>
>
>What It Is and What to Do About It
>
>---------------------------------------------------------------------------
-----
>
>
>What is the happy99.exe Trojan?
>
>You may have seen an attachment to some e-mail you have received that is
>called happy99.exe. If you were one of the unlucky people that tried to
open
>this attachment and run it, you may have seen a beautiful fireworks
display.
>You may have been so impressed that you forwarded the attachment to your
>friends. Your e-mail would still be working fine and all your internet
>services would seem normal...until the next time you rebooted your
computer:
>then the trouble would begin. The happy99.exe program contains what is
>referred to as a ska trojan, which directs your computer to do certain
>sneaky things behind your back. For example, it sends a copy of the
>happy99.exe program to all the people you correspond with...entirely
without
>your knowledge! And that's not all...it can stop your e-mail and internet
>services from functioning properly and can even shut down your e-mail
>program entirely. Perhaps worst of all, it can be a source of embarrassment
>for you at your work or among your friends.
>
>Technically, happy99 is not a virus but a trojan, as it cannot
>self-replicate, and requires YOUR HELP to become effective. The program
>cannot boot itself and can only run if YOU run it.
>
>Who can catch this 'virus'?
>
>ONLY people running the 32-bit versions of Windows are subject to this
>trojan. This is because the program needs to find and overwrite the 32-bit
>winsock (wsock32.dll) to do its thing. That means users of Mac, Linux,
Unix,
>and Windows 3.x are not at risk: only Windows 95/98 users need worry about
>it.
>Furthermore, only people who actually run the happy99.exe program will
>experience any problem. You cannot catch this virus just by receiving
>infected e-mail. You HAVE to run the program.
>
>How can I avoid happy99.exe?
>
>As a general precaution, you should NEVER run an .exe attachment to e-mail,
>regardless of its source, unless you KNOW EXACTLY what it is and what it
>will do. Make sure that the person sending you the e-mail is aware of the
>attachment and has told you what it will do. This does not apply to
attached
>files of other types, such as .jpg or .txt files. You cannot catch a virus
>from any other type of file than an .exe file (or a .zip file, if this
>contains .exe files :)
>Never run the happy99.exe file attachment. Discard the mail as soon as you
>receive it, just in case another member of your workgroup or your family
>finds the file and tries to run it!
>
>I've seen the fireworks...what do I do now?
>
>Ok, so you've run the program and you've seen the fireworks. Or you've
>gotten a nasty e-mail from a colleague or friend informing you that you
>infected them with a nasty virus. Don't panic! The fix is actually fairly
>simple.
>
>The first thing you need to do is make sure you are infected. This is easy:
>just use Windows' handy Find function on the Start menu. Search your hard
>drive (usually drive c: make sure c: appears in the Look In box) and search
>for ska. If you are infected, the following files will show up:
>ska.exe
>ska.dll
>wsock32.ska
>and perhaps
>liste.ska
>If you have these files, you might be tempted to delete them. DO NOT! The
>wsock32.ska file is actually the good version of your wsock32.dll, and the
>wsock32.dll on your system is infected with bad instructions.
>Basically, we are going to overwrite the bad wsock32.dll with the good
>wsock32.ska and then we are going to rename wsock32.ska to wsock32.dll so
>that your internet tools can use it again. While we're at it we'll delete
>ska.exe and ska.dll. You can try to do this in Windows, but if you are
using
>Win95 with integrated Explorer, or any version of Win98, you'll find the
>computer won't let you mess with the wsock32.dll file. It wouldn't let
>happy99 fool with that file either...that's why happy99 had to wait until
>you rebooted your computer to do its dirty job. Anyway we are going to have
>to do our fixing in MS-DOS mode.
>To get into MS-DOS mode, go to Start, Shut Down, then click Restart in
>MS-DOS Mode, then hit "yes" or "OK".
>Now you should see C:\WINDOWS. You need to type the following commands
>EXACTLY as written. Where you see [enter], that means hit the 'enter' or
>'return' key.
>Type
>cd system [enter]
>Now you should see C:\WINDOWS\SYSTEM
>Type
>attrib -h wsock32.dll [enter]
>attrib -r wsock32.dll [enter]
>copy wsock32.ska wsock32.dll [enter]
>Type 'y' for 'yes' when it asks you if you really want to overwrite
>wsock32.dll. You really do.
>Now type
>ren wsock32.ska wsock32.dll [enter]
>If the system won't let you do this, type
>del wsock32.dll [enter]
>ren wsock32.ska wsock32.dll [enter]
>Now for the finishing flourish:
>del ska.exe [enter]
>del ska.dll [enter]
>Congratulations...you are trojan-free again.
>Now type exit. If the computer does not automatically restart in windows,
>restart it manually.
>Try sending yourself an e-mail, to test that everything is working. Check
>whether you have sent yourself the happy99.exe attachment, while you're at
>it. If you did everything right, you didn't.
>One last thing. Use Windows Find again to search for liste.ska . When you
>find it, double-click on it to open it. You will see a list of all the
>people you accidentally sent the happy99.exe attachment to. You might want
>to get in touch with them and warn them not to open that attachment. If
they
>did already, direct them to this page. If they did not, but they are mad at
>you anyway, reassure them that you are now clean and safe and that they
have
>nothing to fear from your e-mail.
>These instructions didn't work...now what?
>
>If you have any trouble with these instructions, feel free to e-mail us at
>help@zeuter.com...assuming your e-mail still works. Keep in mind that these
>instructions are advice only and Zeuter does not accept any responsibility
>for any damage or loss that may occur as you carry out these procedures,
and
>nor does Zeuter explicitly or implicitly guarantee the results of these
>procedures.
>
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>
>--------------------------------------------------------------------------
>To remove yourself from this list, email sharechat-request@sharechat.co.nz
>with "unsubscribe" in the body of the message, or use the unsubscription
>form at http://www.sharechat.co.nz/forum.html.
>


--------------------------------------------------------------------------
To remove yourself from this list, email sharechat-request@sharechat.co.nz
with "unsubscribe" in the body of the message, or use the unsubscription
form at http://www.sharechat.co.nz/forum.html.

 
Messages by Date [ Next by Date: Re: [sharechat] Re; Leases and Thanks Brent Wheeler
Previous by Date: Re: [sharechat] Telstra Will Bryant ]
Messages by Thread [ Next by Thread: [sharechat] Virus in message from Vincent Wang, DNS problems with the site Will Bryant
Previous by Thread: [sharechat] Happy99 Virus.... John Redgrave ]
Post to the Forum [ New message Reply to this message ]