Threat behavior
Win32/Ska takes the following actions:
Opens a window that displays animated fireworks. The text in the title bar of the window is "Happy New Year 1999 !!"
Copies itself as <system folder>\ska.exe. Ska.exe includes all of the worm functionality except the ability to open a window that displays animated fireworks.
Drops its .dll component at <system folder>\ska.dll.
Copies the system file <system folder>\wsock32.dll to file <system folder>\wsock32.ska.
Sends e-mails with the worm attached, and posts itself to newsgroups. The worm can modify the original wsock32.dll file by patching its two export functions, Connect and Send. When either function is called, Win32/Ska loads ska.dll. Ska.dll has two export functions, Mail and News, that are used for the following purposes:
Each time the user sends an e-mail, ska.dll also sends an e-mail to that address with attachment HAPPY99.EXE, which is a copy of the worm. The worm saves each e-mail address to <system folder>\liste.ska. The worm reads liste.ska each time an e-mail is sent so that the attachment is not sent to any particular e-mail address more than once.
Each time the user posts to a newsgroup, ska.dll posts a new message to that newsgroup containing a copy of the worm.
When a user opens a copy of Win32/Ska that is attached to an e-mail or posted to a newsgroup, the animated-fireworks window is displayed.
Adds value: ska.exe
with data: ska.exe
to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This occurs if the worm cannot modify wsock32.dll. The next time Windows starts, the registry modification causes ska.exe to try again to modify wsock32.dll.
Win32/Ska variants contain the following encrypted marker text: "Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with unknown attachments.
Use strong passwords.
Remove unneeded network shares.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection.
Use caution with unknown attachments
Use caution before opening unknown e-mail or IM attachments, even if you know the sender. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately, and run up-to-date antivirus software to check your computer for viruses.
