Summary
Win32/Ska.A is a Win32-based email and newsgroup worm. It displays fireworks when executed first time as Happy99.exe. (Normally this file arrives as an email attachment to a particular PC, or it is downloaded from a newsgroup.).
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
When the Happy99.exe file has been executed, every email and newsgroup posting sent from the machine will cause a second message to be sent. This will contain the same sender and recipient information but contains no text, just the Happy99.exe file itself as an attachment.
Since people will usually receive Happy99.exe from someone they know (as you normally get email from someone you know), people tend to trust this attachment, and run it.
When executed first time, it creates SKA.EXE and SKA.DLL in the system directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE. After this Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the system directory. Then it tries to patch WSOCK32.DLL so that its export entries for two functions will point to new routines (to the worm's own functions) inside the patched WSOCK32.DLL. If WSOCK32.DLL is in use, Ska.A modifies the registry's RunOnce entry to execute SKA.EXE during next boot-up. (When executed as SKA.EXE it does not display the firework, just tries to patch WSOCK32.DLL until it is not used.).
"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able to see if the local user has any activity on network. When "Connect" or "Send" APIs are called, Ska loads its SKA.DLL containing two exports: "news" and "mail".
Then it spams itself to the same newsgroups or same email addresses where the user was posting or mailing to. It maps SKA.EXE to memory and converts it to uuencoded format and mails an additional email or newsgroup post with the same header information as the original message but containing no text but just an attachment called Happy99.exe.
Therefore Happy99 is not limited like the Win32/Parvo virus which is unable to use a particular news server when the user does not have access to it. The worm also maintains a list of addresses it has posted a copy of itself. This is stored in a file called LISTE.SKA. (The number of entries are limited in this file.).
The worm contains the following encrypted text which is not displayed:
Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999.
The mail header of the manipulated mails will contain a new field called "X-Spanska: YES". Normally this header field is not visible to receivers of the message.
Since the worm does not check WSOCK32.DLL's attribute, it can not patch it if it is set to read only.
Please note that after disinfection of this worm you will have to rename WSOCK32.SKA back to WSOCK32.DLL in \WINDOWS\SYSTEM folder to restore all original Winsock internet capabilities.
Happy99 does not replicated under Windows NT.