|
 |
After a short websarch, I found some info on this SKA-virus, including info
on how to remove it..
It turns out that I was right about the wsock32.dll thingey: it does make a
backup! (luckily) So... If you've run the HAPPY99.EXE (the fireworks)
THEN READ THIS MESSAGE!!!
http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM
It will create two files in the Windows System folder, SKA.EXE and SKA.DLL.
SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup of WSOCK32.DLL
under the name of WSOCK32.SKA. If it is unable to modify WSOCK32.DLL, then
it will add SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL
will be modified next time the computer starts. The modified WSOCK32.DLL
will attach HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail
messages. In my tests(sending an e-mail to myself:) this virus attached
itself to a second copy of the e-mail message, with no problems and a
barely noticeable delay. This virus will keep a list of message recipients
in the file LISTE.SKA in the Windows System folder.
Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain any code to change the name. However, it would be simple
for a person to change it to anything they like.
It contains the text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Removal
Click Start, then Shut Down, then "Restart Computer in MS-DOS mode"
At the DOS prompt type:
CD \WINDOWS\SYSTEM
Delete SKA.EXE, SKA.DLL, and WSOCK32.DLL by typing
DEL SKA.EXE
DEL SKA.DLL
DEL WSOCK32.DLL
Rename WSOCK32.SKA to WSOCK32.DLL by typing
REN WSOCK32.SKA WSOCK32.DLL
Return to Windows by typing
EXIT
Optional:
Click Start, then Run, then type regedit in the text box, then click OK.
Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then
CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is
there. Press delete and then click Yes. Close Regedit.
Optional Start Notepad and open the file LISTE.SKA. Warn the people on the
list, then delete LISTE.SKA
--
Marc van den Dikkenberg
--
The PowerBasic Archives -- http://www.xs4all.nl/~excel/pb.html
All Basic Code Archives -- http://come.to/abcpackets
Post a reply to this message
|
|
|
|
Marc van den Dikkenberg schrieb in Nachricht
<36ace6b1.6367415@news.povray.org>...
>
>After a short websarch, I found some info on this SKA-virus, including info
>on how to remove it..
>It turns out that I was right about the wsock32.dll thingey: it does make a
>backup! (luckily) So... If you've run the HAPPY99.EXE (the fireworks)
>THEN READ THIS MESSAGE!!!
>
>http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM
Thank you Marc, that was exactly what I had figured out too (just a few
minutes ago :-). We can really be glad it makes a backup copy of wsock32.dll
(although it would propably be easy to re-extract it from the original
win95/98 cab files - could be a bit hard to search for though).
At least this unhappy chapter of my newsgroup readings is over for now.
BTW I think you are right. These people are trying to collect as many VALID
(unscrambled) e-mail adresses. Here in Germany there was a case which got a
lot of publicity: some teenagers wrote a Trojan called something like
"T-Online Utilities". They collected all the (not very well hidden) password
files of Germany's largest online service, T-Online, from the users of these
utilities (they really worked and were in fact very handy, I'm told) and had
them sent to them. Fortunately, they didn't use the passwords, but just went
to the press with them. The programmer of the utilities has a good job in a
software company now <g>. This case caused a lot of trouble to T-Online,
because of users being angry about the very simple password encryption
T-Online used.
--
Rudy Velthuis
Post a reply to this message
|
|
