Privacy Software Corporation Security Advisory
Monday, January 18, 1999
 
 HAPPY99/SKA INTERNET TROJAN HORSE PROGRAM
Screenshot of the Happy99 trojan.
 

SYNOPSIS:

 The Happy99.exe trojan will arrive attached to an email to you. It may even have been sent to you by a trusted, close friend. THE PERSON WHO EMAILED YOU THE HAPPY99.EXE TROJAN DOES NOT HAVE ANY IDEA THAT THE EMAIL WAS SENT TO YOU because Happy99 sent the email, not the person the email appears to have been sent by! The person infested with Happy99 will not know it's there and Happy99 will not let them know that it has sent itself on along with regular email.

 When Happy99 is run after receipt, it will immediately try to MODIFY your dialup networking/winsock file on your machine (WSOCK32.DLL). If it is unable to modify the winsock because it is in use, it will install a registry entry to do this on the next system reboot as a runonce key in your registry. On bootup, it will modify the winsock and then remove the temporary bookmark in your registry. As a result, there will be no registry entry to remove.

 Happy99 will first make a copy of the original Winsock (WSOCK32.DLL) and copy it to a backup called WSOCK32.SKA ... It will then add an SKA.EXE and an SKA.DLL file which will interact with your winsock once it has been modified. Every time you send an email or post to a usenet newsgroup after infestation, Happy99 will silently send ANOTHER post to the same party including an attachment of itself as HAPPY99.EXE in this separate email. Since this email is generated by Happy99 itself, no copy o fthis email will show in your email or newsgroup program and thus you will not have any idea that it is sending emails in your name. Happy99 will also maintain a list for its own use LISTE.SKA which Happy99 will check to ensure it doesn't send a second email to anybody it has already sent a copy of itself to.

 Happy99 is the first of its kind - most trojan horses install themselves as their own program which runs by itself. Happy99 is the first trojan which MODIFIES another file (your winsock) to operate. This methodology makes it unique in that a regular SYSTEM FILE is the method of infestation.

MANUAL REMOVAL OF HAPPY99:

 Happy99 can ONLY be removed from a boot directly into DOS. It cannot be removed while Windows is running as in most cases, the winsock file is locked by the operating system. Only trojans seem to be able to modify this file but not the user.

 To remove the trojan and restore your regular winsock, please follow the following instructions: 



1. Shut down your computer. Turn off the power.



2. Power on your computer. As soon as it starts to access the

   floppy disk, HOLD DOWN your F8 key.



3. A selector menu will appear which is different for each

   version of Windows. Choose the option (usually at the

   very bottom of the list which brings up DOS or CONSOLE

   in SAFE MODE. This will bypass all existing settings.

   DO NOT SELECT RUN WINDOWS. We need to run DOS.



4. You will be deposited at a C:> prompt.



5. We will need to find your system files now. One of the

   following commands will get you there (depending on how

   your windows system was set up. One of these will work

   and move you there, the others will not. The expected

   command to get there is listed in the order of its

   likelihood. Be sure to hit the enter key at the end of

   each line you try until you are at the system folder.




CD\WINDOWS\SYSTEM  (hit enter key)

CD\WINNT\SYSTEM32  (hit enter key)

CD\WIN95\SYSTEM    (hit enter key)

CD\WIN98\SYSTEM    (hit enter key)




   The correct one for your computer will toss you a C: prompt

   with the same listing as the one you typed in if it is the

   correct one. The other attempts will result in either a not

   found error or nothing at all.



6. When you are at the system prompt, confirm that you are in

   the right place by typing in the following:




   DIR WSOCK32.DLL  (hit enter key)




   Your computer should respond with a line that looks like this:




 Volume in drive C is MS-DOS_6

 Volume Serial Number is ####-####

 Directory of C:\WINDOWS\SYSTEM



WSOCK32  DLL        66,560  07-11-95  9:50a

         1 file(s)         66,560 bytes

         0 dir(s)      10,190,848 bytes free




   Your WSOCK32.DLL file will likely be bigger than the one shown

   above. If the above does NOT appear or you receive an error

   message, you're not in the system folder yet. Try again.



7. You can find out if Happy99 is on your system by typing in

   the following command:




   DIR WSOCK32.SKA  (hit enter key)




   If the Happy99 Trojan has diddled your winsock, you will get

   an affirmation that the file exists identical to what you got

   when you typed in DIR WSOCK32.DLL before. If you receive "file

   not found" then you do NOT have Happy99 on your machine or you

   are not in the SYSTEM folder.



8. Once you're in the location where the WSOCK32.DLL file is

   located, we now type in the following to remove Happy99:




   ATTRIB -r -s -h -a WSOCK32.DLL (hit enter key)

   COPY WSOCK32.SKA WSOCK32.DLL   (hit enter key)

   DEL SKA.EXE                    (hit enter key)

   DEL SKA.DLL                    (hit enter key)

   DEL LISTE.SKA                  (hit enter key)




   If the action is successful, you will just receive another

   prompt. If it fails, you'll receive an error message such as

   "file not found" or similar. Check your typing and try again.



9. You're done. Happy99 is gone. You can now turn off the machine

   and reboot back into windows again.

Use of Privacy Software Corporation's BOClean program will safeguard against this and over 60 other trojan horse programs automatically without having to go through all this and without risk of damage.

COPYRIGHTED MATERIAL:

Copyright (c) 1999 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the Happy99.exe distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.



TOP