My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Happy99.A

HIGH
LOW
10000 bytes, 8192 bytes dropped DLL

Symptoms

Presence of the files Ska.exe, Ska.dll, WSock32.ska, liste.ska in the %SYSTEMDIR% folder.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Marius Barbu, Virus Researcher

Technical Description:

The virus comes in the form of an email attachment, with the name Happy99.exe. It hooks all outgoing email and newsgroup posts and adds itself as an attachment (also adds the header X-Spanska: Yes).

When the attachment is executed, it copies itself to %SYSTEMDIR%\\Ska.exe, drops a file named %SYSTEMDIR%\\Ska.dll which is responsible for spreading, and makes a backup of Wsock32.dll under the name Wsock32.ska before patching it. If it fails to patch Wsock32 (because it's in use), it sets the key

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Ska.exe=Ska.exe

in order to run at the next Windows startup.

The patched Wsock32 monitors all connections to SMTP (port 25) and NNTP (port 119) servers. When a SMTP/NNTP connection is made, Ska.dll is loaded which harvests destination addresses seen in the headers "RCPT TO:", "CC:", "BCC:", "NEWSGROUPS:" and attaches the worm to outgoing messages.

In order not to raise suspicion, the worm avoids sending the attachment to the same recipient by maintaining a log (maximum 5120 bytes) of the most recently mailed destinations in %SYSTEMDIR%\\liste.ska.

Containes the encrypted text:

"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."