TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
Subject:Surprise! A legitimate e-mail virus alert From:"Howard, Kathryn" <Kathryn -dot- Howard -at- WESTGROUP -dot- COM> Date:Tue, 16 Feb 1999 11:04:42 -0600
Sent: Tuesday, February 16, 1999 9:41 AM
To: Product Systems
Subject: Surprise! A legitimate e-mail virus alert
I recently received, via an e-mail listserver, an e-mail with an attachment
called happy99.exe. I didn't open the attachment. Lucky me.
The happy99.exe virus is a self-replicating e-mail virus. When you run it,
you apparently get a lovely fireworks display. Once run, however,
happy99.exe replaces your WINSOCK.DLL with code that will attach the
happy99.exe executable to every outgoing e-mail, and also apparently does
other sneaky things without your knowledge (newsgroup postings, etc.). It
also generates heavy network traffic, possibly crashing net servers.
The virus is apparently widespread in Europe, and starting to make its
presence felt here.
This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. You cannot get infected
with this virus just by reading a newsgroup or e-mail message. You have to
execute the attachment. If you execute
an infected attachment, it will display a firework display.
It will create two files in the Windows System folder, SKA.EXE and SKA.DLL.
SKA.EXE will be a copy of
HAPPY99.EXE. It will make a backup of WSOCK32.DLL under the name of
WSOCK32.SKA. Then it will modify
WSOCK32.DLL so it will try to access SKA.DLL under certain circumstances. It
does not modify any other file besides
WSOCK32.DLL. WSOCK32.DLL is a regular part of Windows that provides a
connnection to the Internet. If it is unable to
modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the
registry and WSOCK32.DLL will be
modified next time the computer starts. The modified WSOCK32.DLL will attach
HAPPY99.EXE to a second copy of
outgoing newsgroup and e-mail messages. This second copy will have the same
subject and recipient, but it will have an empty
body. This virus will keep a list of message recipients in the file
LISTE.SKA in the Windows System folder.
In my tests(sending an e-mail to myself:) this virus attached itself to a
second copy of the e-mail message, with no problems
and a barely noticeable delay. The outgoing message contains the header
X-Spanska: Yes
but this is normally not visible.
This virus does not steal passwords, as some sources have reported. It does
not contain any payload other than the fireworks
display. However, it could overload an e-mail server if a lot of copies get
passed around. Also, since it gets passed along a lot,
a different virus could attach to HAPPY99.EXE somewhere along the way.
Without SKA.DLL and SKA.EXE, the modified
WSOCK32.DLL cannot perform any viral action. However using a modified
WSOCK32.DLL could cause problems while
on the Internet. Restoring the original WSOCK32.DLL will correct these
problems.
This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
However, someone using one of those could
pass it along manually, for example by forwarding the message. I don't have
a Windows NT machine to test it on, but I have
reports that it will create SKA.EXE and SKA.DLL, but will fail to add itself
to the registry or modify WSOCK32.DLL.
Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain any code to change the name.
However, it would be simple for a person to change it to anything they like.
