Home / malware

PDF

Win32.Worm.Happy99.A

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.Happy99.A.

Explanation :

The virus comes in the form of an email attachment, with the name Happy99.exe. It hooks all outgoing email and newsgroup posts and adds itself as an attachment (also adds the header X-Spanska: Yes).

When the attachment is executed, it copies itself to %SYSTEMDIR%\Ska.exe, drops a file named %SYSTEMDIR%\Ska.dll which is responsible for spreading, and makes a backup of Wsock32.dll under the name Wsock32.ska before patching it. If it fails to patch Wsock32 (because it's in use), it sets the key

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe=Ska.exe

in order to run at the next Windows startup.

The patched Wsock32 monitors all connections to SMTP (port 25) and NNTP (port 119) servers. When a SMTP/NNTP connection is made, Ska.dll is loaded which harvests destination addresses seen in the headers "RCPT TO:", "CC:", "BCC:", "NEWSGROUPS:" and attaches the worm to outgoing messages.

In order not to raise suspicion, the worm avoids sending the attachment to the same recipient by maintaining a log (maximum 5120 bytes) of the most recently mailed destinations in %SYSTEMDIR%\liste.ska.

Containes the encrypted text:

"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."

Last update 21 November 2011

 

TOP