Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Ska

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published
Description created 31 Dec 1998 03:00:00
Description updated 08 Nov 2001 02:35:00
Malware type WORM
Alias Happy99
Ska
Spreading mechanism EMAIL
Summary None

W32/Ska

Spreading

Indications of infection When launched, a window will appear, showing fireworks and the headline "Happy New Year 1999!!".

The following files will be found on your computer:


Happy99.exe displays fireworks on your machine when it is launched.
Ska.exe a copy of Happy99.exe
Wsock32.ska contains a copy of the original Wsock32.dll
Liste.ska contains the email addresses and newsgroups, which the Happy99.exe file has been sent to. This file only exists if the worm has been attached to mail.

Payload Details

n/a

Analysis

n/a

Removal

Lumension has developed a special program which detects and removes W32/Ska. Owners of Lumension Virus Control may download this by following this link. Note that this program does not clean the Registry settings, which W32/Ska inserts (see below). The Readme.txt file has more information. If you are an experienced user you may follow the steps below to manually remove W32/Ska. If you have NT, you do not have to follow these steps! You just have to delete the files SKA.DLL and SKA.EXE, using Windows Explorer. Restart the machine in MS-DOS mode Go to the \Windows\system directory (type cd \windows\system) Delete the files SKA.EXE and SKA.DLL (type del ska.exe then del ska.dll) Rename WSOCK32.DLL to WSOCK32.BAD (type ren wsock32.dll wsock32.bad) Rename WSOCK32.SKA to WSOCK32.DLL (type ren wsock32.ska wsock32.dll) Delete WSOCK32.BAD (type del wsock32.bad) Restart the machine Choose Start|Run and type regedit. (Note! Only if you are an experienced user, otherwise, call your local Lumension office) Go to HKEY_LOCAL_MACHINE|SOFTWARE| Microsoft|Windows|CurrentVersion|RunOnce Check for the key SKA.EXE and delete it if it exists. If you do not find SKA.EXE in the Registry, it does not mean you are not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL. Exit the registry The file LISTE.SKA (in the \windows\system directory) contains the e-mail addresses of everyone you have sent an infected file to (as well as the newsgroups). Warn them about the file Happy99.exe and/or give them a link to this page. If you do not find a LISTE.SKA file, you have not sent the Happy99.exe file to anyone. Delete LISTE.SKA if it exist. Delete the file HAPPY99.EXE. The location of this file may vary according to where you saved it.


Last Updated: 12 Nov 2015 11:06:11