|
Profile
Name
W32/Ska
Aliases
Happy99, Happy99.exe
Variants
None
Type:
Virus
SubType:
Win32
Risk
Assessment:
medium
Minimum
DAT:
4012
Characteristics
W32/Ska is a
worm that was first posted to several newsgroups
and has been reported to several of the AVERT
Labs locations worldwide. When this worm is run
it displays a message "Happy New Year
1999!!" and displays "fireworks"
graphics. The posting on the newsgroups has lead
to its propagation. It can also spread on its
own, as it can attach itself to a mail message
and be sent unknowingly by a user. Because of
this attribute it is also considered to be a
worm.
AVERT cautions
all users who may receive the attachment via
email to simply delete the mail and the
attachment. The worm infects a system via email
delivery and arrives as an attachment called
Happy99.EXE. It is sent unknowingly by a user.
When the program is run it deploys its payload
displaying fireworks on the users monitor.
Note: At this
time no destructive payload has been discovered.
When the
Happy.EXE is run it copies itself to
Windows\System folder under the name SKA.EXE. It
then extracts, from within itself, a DLL called
SKA.DLL into the Windows\System folder if one
does not already exist.
Note: Though the
SKA.EXE file file is a copy of the original it
does not run as the Happy.EXE files does, so it
does not copy itself again, nor does it display
the fireworks on the users monitor.The worm then
checks for the existence of WSOCK32.SKA in the
Windows\System folder, if it does not exist and a
the file WSOCK32.DLL does exist, it copies the
WSOCK32.DLL to WSOCK32.SKA. The worm then creates
the registry entry:
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run
This happens the worm patches WSOCK32.DLL and
adds hooks to the exported functions
EnumProtocolsW and WSAAsyncGetProtocolByName. The
patched code calls two exported functions in
SKA.DLL called mail and news, these functions
allow the worm to attach itself to SMTP e-mail
and also to any postings to newsgroups the user
makes.
|
