Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/SKA

Win32/SKA is a worm spreading as a file attachment of email messages.  The name of the file in the attachment is HAPPY99.EXE and at its execution the following window with graphical effect of fireworks is displayed:

At the same time the worm installs itself into the system and takes over the control of sending out email.  This enables further spreading – it gets attached to the message as an attachment.
The file size of the worm is 10000 bytes.  It attacks the operating systems Windows 95/98, however does not operate on  Windows NT systems because of errors.  After it is executed the worm copies itself with the file-name SKA.EXE into the Windows and creates an additional file, SKA.DLL there.  It copies the file WSOCK32.DLL to WSOCK.SKA and modifies the file WSOCK32.DLL.  If the worm does not succeed (e.g. the file is being used at the moment) it ensures its modification at the next system restart by means of creating a new key in the system registry.
The modification of the file WSOCK32.DLL, which is activated after the computer is connected to the Internet, gives the worm access to two system features: sending out data and making connections.  This is true for ports 25 (SMTP – electronic mail) and 119 (NNTP – chat groups).  When connecting on any of these two ports the file SKA.DLL is activated and the worm creates a new message.  It attaches the file HAPPY99.EXE to it and sends it to the Internet.  The message header contains the following text:

X-Spanska: Yes

The worm files a list of addresses to which it sent its copies in the file LISTE.SKA which is located in the Windows directory.  The following text strings can be found in the worm's body, the majority is encrypted:

Is it virus, a worm, a trojan ? MOUT-MOUT Hybrid (c) Spanska 1999.
Happy New Year 1999 !!
Begin 644 Happy99.exe end
\Ska.exe \liste.ska
\wsock32.dll \Ska.dll

There is a very simple protection against this worm and it can be removed even manually.  If the file WSOCK32.DLL has set the attribute Read-Only the worm cannot modify this file.  To remove the worm from the system it is necessary to delete the files SKA.EXE, WSOCK32.DLL, SKA.DLL and rename the file WSOCK32.SKA to WSOCK32.DLL in the directory where the operating system Windows is installed.  To prevent a random re-infection it is advisable to delete also the original file HAPPY99.EXE.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.