RootsWeb.com Mailing Lists
Home

Results for list 'shuman'

Total: 1/1
    1. Re: [SHUMAN] Please read all info
    2. cbowen

    3. CJ: This is a harmless virus - but a nuisance, nothing to worry about. I did not recieve the virus from you at all, in any of your message. I, too had the pesky virus sent to and didn't know - this was last spring. If you do still have the virus your isp will gladly give you a free disk to get rid of it. But I have not seen any signs that you past virus on to me. Chris -----Original Message----- From: CJ <cm12256@cedarnet.org> To: SHUMAN-L@rootsweb.com <SHUMAN-L@rootsweb.com> Date: Saturday, October 16, 1999 2:11 PM Subject: [SHUMAN] Please read all info >To everyone on this List, I was not aware of the "Happy 99EXE" worm/virus logo that has been attached to my messages. This is to let you know that I have NOT sent this intentionally. If you will read the following article concerning this worm you will see that the sender is unaware of it being ther until someone tells them. I have again today followed the following instructions to removing this, if the logo is still there please let me know and if you have any other suggestions. >I did not say anything to the List because to my knowledge the virus has been wipe clean from me. As I have just wrote to you, I have taken appropriate measures to wipe this worm/virus from my system a month ago, right after I found out about it. My computer says that it is no longer in the system, although the logo still follows me. I have no idea why, I am not a computer professional. I appreciate you letting me know that it is still there and will find someone who has experinece in these cases, to have them dislodge it. >If anyone has been really infected by this, I apologize. I am just housewife seeking out her famliy roots, I am not out to harm anyone. >I will also forward this to the list, in response to what you have already sent. >CJ > > > > > >Aliases: Trojan.Happy99, I-Worm.Happy >Likelihood: Common >Region Reported: World Wide >Characteristics: Trojan Horse, Worm > > > > ><Picture> > > >Description > > >This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. > > > >When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. > > > >WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article. > > > >If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: > > >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ >CurrentVersion\RunOnce=SKA.EXE > > > > > >The registry entry loads the worm the next time Windows start. > > > >Removing the Worm Manually > > >1.delete WINDOWS\SYSTEM\SKA.EXE 2.delete WINDOWS\SYSTEM\SKA.DLL 3.in WINDOWS\SYSTEM\ directory, >rename WSOCK32.DLL to WSOCK32.BAK 4.in WINDOWS\SYSTEM\ directory, >rename WSOCK32.SKA to WSOCK32.DLL 5.delete the downloaded file, >usually named HAPPY99.EXE > > > >Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e. through dial-up or LAN connection). > > > > >If you are using dial-up connection (i.e. America Online), you need to do the following: > > >1.terminate internet connection 2.delete WINDOWS\SYSTEM\SKA.EXE 3.delete WINDOWS\SYSTEM\SKA.DLL 4.in WINDOWS\SYSTEM\ directory, >rename WSOCK32.DLL to WSOCK32.BAK 5.in WINDOWS\SYSTEM\ directory, >rename WSOCK32.SKA to WSOCK32.DLL 6.delete the downloaded file, >usually named HAPPY99.EXE > > > > >If you are connected to Internet through LAN (i.e. in the office or cable modem), you need to do the following: > > >1.From the Start menu, select shutdown-restart in MS DOS mode 2.type CD \windows\system when DOS >prompt (C:\)appears 3.type RENAME WSOCK32.DLL WSOCK32.BAK 4.type RENAME WSOCK32.SKA WSOCK32.DLL 5.type DEL SKA.EXE 6.type DEL SKA.DLL > > > > >Safe Computing > >This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article from an untrusted source. > > > > > ><Picture> > > >Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage: > > > >http://www.symantec.com/avcenter/download.html > > > >Write-up by: Raul K. Elnitiarta >March 2, 1999 > > >==== SHUMAN Mailing List ==== > ----------------- > This is a discussion area for anyone > who has an interest in SHUMAN genealogy or history > You can also > visit the SHUMAN Web Site at > http://homepages.rootsweb.com/~shuman/welcome.html > ----------------- >

    10/16/1999 11:41:20