VIRUS ALERT: Network Associates Advises E-mail and Newsgroup Users to Armor Up Against Trojan Horse Worm Outbreak
Happy99.exe Fireworks Graphic Delivers More Than New Year Cheer
SANTA CLARA, Calif., Feb. 1 /PRNewswire/ -- To educate and inform the computer industry and its customers, the AVERT (Anti-Virus Emergency Response Team), a division of NAI Labs at Network Associates (Nasdaq: NETA), warns users to defend their computers from the virus, Happy99.exe.
Symptoms:
Happy99.exe displays a window with exploding fireworks and the message
"Happy New Year 1999!" The window appears on the computer monitor when a user
runs the Happy99.exe attachment that is delivered with the e-mail.
Pathology:
Happy99.exe, also known as W32/SKA or the Ska Virus, is a Trojan Horse
that was first posted to newsgroups and has since propagated to infect users
via e-mail. This Trojan Horse is also considered a Worm because it can spread
itself by latching onto mail messages. In most cases a user sends Happy99.exe
unknowingly with outgoing messages. This self-replicating ability led to the
expedient outbreak of Happy99.exe, which has been reported to several of the
AVERT Labs locations worldwide.
It has been widely reported that when Happy99.exe runs its fireworks graphic, it modifies the Windows/System folder of a user's PC. If so, the process is as follows. The virus copies itself to the folder under the name SKA.EXE and then extracts a DLL from within itself to place in the folder. Happy99.exe then backs up and modifies the existing WSOCK32.DLL file. The modified WSOCK32.DLL file, WSOCK32.SKA, attaches the virus to a second copy of outgoing e-mail and newsgroup messages. The virus also keeps a list of message recipients in a file on the Windows/System folder.
Happy99.exe does not deliver a known destructive payload, nor does it appear to pose a threat to data. It does, however, spam the unconsenting recipient and create covert parasitic activity on a system. It can also congest the network and strain the e-mail server. AVERT has not yet seen this behavior, but warns users of the Trojan's potential.
Cure:
To ensure maximum security, it is recommended that users delete all files
associated with Happy.exe to remove the virus from their systems. AVERT has
developed Happy99.exe detection, which is available in Network Associates'
McAfee VirusScan versions 3.X and above. Detection is also available for the
Dr Solomon's Anti-Virus Tool Kit. The Happy99.exe detection utilities and
detailed information about Happy.exe are available at Network Associates' Web
site, http://www.nai.com.
With headquarters in Santa Clara, Calif., Network Associates, Inc. is dedicated to providing leading enterprise network security and management software. McAfee Labs, the anti-virus research division of Network Associates, currently employs more than 85 virus researchers and maintains labs on five continents worldwide. In addition to studying new and existing security threats, McAfee Labs serves as a global resource for virus information and provides rapid, follow-the-sun support for virus emergencies worldwide. For more information, Network Associates can be reached at (408) 988-3832 or on the Web at http://www.nai.com.
McAfee, VirusScan, Net Tools and Dr Solomon's are registered trademarks of Network Associates and/or its affiliates in the U.S. and in other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.