[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: CL_Happy99.exe is a virus]



PureBytes Links

Trading Reference Links

I kept this post ........ thought it might be a good reference on this
problem.  This might be helpful .......if you didn't heed Hans's warning
in early January.
Return-path: <code-request@xxxxxxxxxxxxx>
Envelope-to: joachim@xxxxxxxxxxxx
Received: from www.hargravefinancialgroup.com (100.cmpu.net) [204.181.115.164] 
	by pop.uniserve.com with esmtp (Exim 1.82 #4)
	id 108VaK-0006TG-00; Thu, 4 Feb 1999 12:41:12 -0800
Received: from mail.atl.bellsouth.net ([205.152.0.21]) by 100.cmpu.net
          (Post.Office MTA v3.5.3 release 223 ID# 0-57451U100L100S0V35)
          with ESMTP id net for <code-list@xxxxxxxxxxxxx>;
          Thu, 4 Feb 1999 14:30:03 -0600
Received: from Pionex (host-209-214-88-222.atl.bellsouth.net [209.214.88.222])
	by mail.atl.bellsouth.net (8.8.8-spamdog/8.8.5) with SMTP id PAA22623;
	Thu, 4 Feb 1999 15:37:54 -0500 (EST)
Message-ID: <01e701be507e$3ff6e8c0$0201a8c0@xxxxxxxxxxxxxxxxxxxx>
From: "Harold R. Lanier" <hlanier@xxxxxxxxxxxxx>
To: "Code List (E-mail)" <code-list@xxxxxxxxxxxxx>,
        "TradeLab Mail List" <tradelab@xxxxxxxxxx>, <quotes-plus@xxxxxxxxxxx>,
        <qcharts@xxxxxxxxxxx>
Subject: CL_Happy99.exe is a virus
Date: Thu, 4 Feb 1999 15:37:56 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit


A Jim Box just sent me an e-mail via one of the list groups I watch that
included a virus attachment.  I hope it was by accident, but here is my
letter to him, if you received a similar e-mail and opened the file you are
infected.

Jim Box,
I am going to assume that you did this by mistake, but in sending the
Happy99.exe file you sent the following virus to me and everyone on the
list.  This is a serious matter and you have potentially infected every
person on this list that opened the file.  Below is how you can remove it
from your system.

Friends in the GET group, this virus is real.  Do not open the file.

Harold Lanier
770-751-3822
hlanier@xxxxxxxxxxxxx

You may have received from me an email with nothing in the body and a 9K

attachment named Happy99.exe.

Don't run that attachment! It is a trojan horse worm called the SKA
virus
that will insinutate itself into your system by replacing your
WSOCK32.dll
file with its own. What it does then is that it will send out email to
people you send email to with nothing in the body of the message with
the
Happy99.exe file attached.

If you have run this attachment, I apologize for unwttingly helping to
propogate this thing. Here's what you need to do to eradicate it from
your
system.

1) Exit all your programs and shut down your computer so it re-starts in
DOS
mode.
2) Go to your Windows/System directory and delete the following files:

        SKA.exe
        SKA.dll

3) Copy WSOCK32.SKA to WSOCK32.DLL with the following command:

        COPY WSOCK32.SKA WSOCK32.DLL

4) (Optional) Delete WSOCK32.SKA (This is the backup copy of your
original
wsock32.dll file.)

5) (Optional) It may have added an item in your Windows Registry that
causes
it to be run when you start your machine. The above steps will ensure
that
there's nothing to run, but if you want to clean everything.... do Start
-
Run - Regedit. Browse down the following path:
        HKEY_LOCAL_MACHINE
                Software
                        Microsoft
                                Windows
                                        CurrentVersion
                                                RunOnce

If there is an item for SKA.EXE, select it with the mouse and press the
Delete key to get rid of it.

6) (Optional) The worm creates a file in the Windows/System directory,
LISTE.SKA, which contains a list of emails of people to whom it has sent

itself so it won't send it to someone twice (polite little bugger.) It's

just a text file you can read in Notepad. I'm sending this email to
everyone
on that list. If you are infected you might want to do the same. You can

delete this file too.