20- 40 Sending viruses

Canaboid · 07-12-1999 10:51am #1

Bastid sent me happy99.exe for no reason whatsoever. I know it's old and not to damaging but it's the principal etc.
20-40, an explanation please.

WhiteWashMan · 07-12-1999 11:18am

'how to win friends and influence people'
by 2040

naughty, naughty boy....

Shinji · 07-12-1999 11:23am

Wouldn't it stand to reason that he's just been infected with it himself?

mewso · 07-12-1999 2:37pm

Hehe he sent me that too. It looks like he's doing it unwillingly but I could be wrong. I just deleted the thing straight off.

M

07-12-1999 6:46pm

It happens anyway.Its not on purpose.On most of my mail i say "dont touch the attachment".Sorry lads.Cant help it.Looks like i wont be using my eircom account anymore.Cant nuke my 'puter either cos its shared.The whole point of the virus is to go along with every email.I thought everyone knew that.Some one else sent it to me!

-=20-40=-

Shinji · 07-12-1999 7:09pm

There is a proggy out there that nukes happy99.exe, not sure where to find it tho...

Trojan · 07-12-1999 7:20pm

Manual Removal of Happy99.exe

Steps marked optional are not absolutely necessary and are completely safe to skip. If you're not comfortable with DOS, get someone knowledgable to help you with this. I cannot make guarantees of perfect safety since its a manual removal, Perform these at your own risk. If you have Windows NT, you don't have to follow the removal steps.

1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. It's important to exit Windows in order to be able to replace the file WSOCK32.DLL which Windows normally has in use.

2.At the DOS prompt type this exactly and press enter at the end of each line:

CD \WINDOWS\SYSTEM

3. Delete SKA.EXE and SKA.DLL by typing

DEL SKA.EXE
DEL SKA.DLL

If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.

4.Copy WSOCK32.SKA to WSOCK32.DLL by typing

ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL

Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.

WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the modified DLL with the original. If you get a "Sharing violation" make sure you followed step 1.

5.Optional Delete WSOCK32.SKA by typing

DEL WSOCK32.SKA

You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with WSOCK32.SKA.

6.Return to Windows by typing

EXIT

7.Optional Delete Windows Registry Key.
Click Start, then Run, then type regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Regedit. Don't change anything else without making a backup of the registry first. If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also, you'll only find it in the registry if you haven't rebooted since you ran HAPPY99.EXE.

8.Optional Choose Start, Programs, Accessories, Notepad, choose File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the list, then delete LISTE.SKA. Make it clear to the people you warn that they won't be infected unless they ran happy99.exe, to avoid alarming them unnecessarily. If you haven't sent out any infected e-mails, there won't be a LISTE.SKA.

9. Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary depending on where you saved it. You can delete it simply by dragging it to the Recycle Bin from within Windows or whatever method you prefer. You may still have some messages with HAPPY99.EXE attached in your mailbox. These cannot do anything unless you run them. You can delete them if you want to or just ignore them. 10.Optional If you aren't sure whether WSOCK32.DLL is infected, choose Start, then Find, then "Files or Folders". Then type WSOCK32.DLL in the "Named" box. In the "Look in" box choose drive C: or whatever drive you have Windows on. In the "Containing Text" box type "ska.dll" without the quotes. Then click "Find Now". If you don't find any files, that means that wsock32.dll isn't the modified version. If you don't have the modified WSOCK32.DLL, the virus has no way to attach to e-mails, even if you have SKA.EXE, SKA.DLL, and WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the RunOnce registry section, and you haven't deleted SKA.EXE, then the virus will try to modify WSOCK32.DLL the next time you restart the computer.

07-12-1999 10:07pm

Thanx m8!

-=20-40=-

Canaboid · 07-12-1999 10:51pm

Far enuf 2040. But at the same time if u had rabies (I'm not suggesting you do by the way)I would expect u not to prepare food and serve it to ppl, err.. for example.

Hobbes · 07-12-1999 11:04pm

afair, the happy99 emails all your friends the virus if you have outlook. I remember some muppet getting it and it was sent to a mailing list.

Next 20 mails where the virus again, followed about 30-40 FOAD mails for people spamming the mailing list, followed by more virus emails.

Canaboid · 08-12-1999 1:05am

Nah its an exe which if I remember correctly shows a little firework display. It has no stealth capabilities - you just run the exe and it infects with ska.dll

20- 40 Sending viruses

Comments