Kedves Kollegak! Egy rovid idovel ezelott altalam kuldott mailel sajnos szetdobtam egy (egyebkent artalmatlan) Happy99 virust. Kompenzalando ezt a gaztettemet itt mellekelek egy leirast, hogy hogyan lehet tole megszabadulni. 0. Nem szabad az uuencodolt Happy99.exe filet kibontani, hanem az egesz mailt torolni kell. Ha ez mar megtortent, akkor pedig az alabbiakat kell kovetni Happy99.Worm VirusName: Happy99.Worm Aliases: Trojan.Happy99, I-Worm.Happy Likelihood: Common Region Reported: World Wide Characteristics: Trojan Horse, Worm Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment. When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA. Removing the worm manually: 1.delete WINDOWS\SYSTEM\SKA.EXE 2.delete WINDOWS\SYSTEM\SKA.DLL 3.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK 4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL 5.delete the downloaded file, usually named HAPPY99.EXE Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e. through dial-up or LAN connection). Write-up by: Raul K. Elnitiarta March 2, 1999 -- Laszlo E. Szabo Department of Theoretical Physics Department of History and Philosophy of Science Eotvos University, Budapest H-1518 Budapest, Pf. 32. Phone: (36-1)2090-555/6671 Fax: (36-1)372-2509 Home: (36-1)200-7318 http://hps.elte.hu/~leszabo