Well, truth be known, THERE IS NO SUCH THING AS A TRUSTED SOURCE!
c:\program files\eudora\attach
(Note: No personal offense intended, but our policy is to DELETE all email attachments in messages coming from AOL, as well as those from Hot Mail, BigFoot, or any of the other "free" web email providers, regardless of who we might think it is. We've just found it better to be safe than sorry. If you spend a lot of time online, you know what we mean. But this wasn't an AOL or other "Caution-List" user.)
When we opened the attachment we were presented with a small pop-up window with a nice, colorful fireworks display expressing "Happy New Year '99". We closed the window and went on about our business.
Little did we know, but as soon as we opened that attachment, we had become infected with the Trojan Horse "happy99.worm".
Yeah, information about this worm was probably readily available had we paid full attention to news items about such things, but in the day-to-day grind it is sometimes difficult to pay attention to everything that comes along. Besides... we only open attachments from "trusted" sources...
WSOCK32.DLL is used whenever the machine is connected to the internet via dial-up or LAN connections.
Since you are generally online when you get infected, it contains code that in-effect says when WSOCK32.DLL is in use, add a "run-once" registry entry so that the next time you boot your system (before you go online) it can complete the infection process. (You can't write to files which are currently in use.)
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
This is a worm program, not "officially" a virus. Once infected though, you transmit it to others unknowingly with EVERY email you send. It creates a new email or a new article with UUENCODED "happy99.exe" inserted into the email or newsgroup posting to every recipient or location where you send email.
Besides using additional disk resources, it inflates and clogs the email network with the extra traffic and content it is sending (10k each) as those who are infected send email (and we wonder why things are so s-l-o-w at times!!!).
We rebooted to an MS-DOS session and were able to follow the cleaning procedures step-by-step, renaming and deleting the files as instructed.
To our dismay, when we rebooted, we found we were STILL INFECTED! We went through the procedures step-by-step -- very deliberately -- several times, attempting to "get it right".
At this point we had spent a good portion of the morning attempting to rid ourselves of this nastie, but to no avail. No matter what we did, we could not get rid of this thing! Every time we rebooted, our Norton Anti-Virus advised that we were still infected.
Finally, almost at the point of desperation, we thought we'd try something, just in case it might have something to do with the fact that this was one of our systems on which was also a file named WSOCK32N.DLL. Apparently this file is loaded as part of installations requiring newer versions of the MSIE browser as part of the process. Even though we don't use MSIE, we have programs that load/update it as part of their installation process.
Could this file also be infected and perhaps be the cause of our continuing re-infection, even though we were following Symantec's instructions to the letter?
Seems as though it was, because when we deleted and replaced that file (WSOCK32N.DLL) along with the standard procedures outlined in the instructions (see below), we were finally able to get rid of the infection.
We've sent a copy of this along to the Symantec folks to see what they say, or so that they can update their procedures. If anything exciting comes back from them (assuming they answer), we'll pass that along too.
1. delete C:\WINDOWS\SYSTEM\SKA.EXE
2. delete C:\WINDOWS\SYSTEM\SKA.DLL
3. in C:\WINDOWS\SYSTEM\ directory (folder) rename WSOCK32.DLL to WSOCK32.BAK
4. in C:\WINDOWS\SYSTEM\ directory (folder) rename WSOCK32.SKA to WSOCK32.DLL
5. delete the downloaded file, usually named HAPPY99.EXE
6. type DEL SKA.DLL
For more information on the Tulsa Computer Society click here