How about the cute little programs that you get that shows the fireworks going off? That one was popular before the turn of the New Year. I am sure a lot of you remember receiving it. I remember a co-worker showing it to me on their screen one day and then I received it about five times after that. I had seen it, so I deleted it without running the program on my computer. Good thing because the name of the program was HAPPY99.EXE. This is actually a worm virus that copies itself when run to the Windows\System directory under the name SKA.EXE. It then extracts a file called SKA.DLL from within itself to the same directory. It then changes your WSOCK32.DLL to WSOCK32.SKA and adds a line in your registry to run itself the next time your computer is started. This is where the fun begins. When SKA.EXE is run you do not see the fireworks that were originally part of the HAPPY99.EXE file. This is where the worm patches WSOCK32.DLL and adds hooks to two exported functions of the file. The patched code then calls two functions from the file SKA.DLL called mail and news. These functions allow the worm to attach itself to SMTP e-mail and NNTP newsgroup postings. At this point, you are sending HAPPY99.EXE as an attachment with every e-mail and newsgroup posting that you send. Then the process starts over again with the new victims. 

The name of the virus is W32/Ska. It is only a minor variation of the original, which has been in existence since about February of 1999 according to Mcafee. Some of the other names for the variations are HAPPY99, I-WORM.HAPPY, or W32/SKANEW. It is not that big of a deal as virus’ go, but it is just a pain to get the mess cleaned up afterwards. At least the author was nice enough to leave a list on your computer to tell you who you sent the virus to. It is LISTE.SKA and will contain the email addresses of all of the recipients of your email gift.  You can simply change the SKA extension to TXT and open it with notepad to begin writing your apologies. Be sure to send them an explanation of how to get rid of the virus. You can get that for any of the known viruses from <http://vil.mcafee.com>. Type the name into the search box and read the instructions to get rid of the little critter. There is even a link on the page to send the instructions to your friends. 

This virus is relatively easy to get rid of. You have to take your computer to DOS and delete WSOCK32.DLL. Then you rename the old WSOCK32.SKA back to WSOCK32.DLL. Delete the rest of the files except for the list and get started on your letters. 

Another worm virus that has raised its ugly head recently is PRETTY PARK.EXE. This virus comes to you as an e-mail from an affected user who has run the program. The icon for the program is one of the characters from the animated comedy series Southpark. This worm attaches itself to the program Outlook Express and tries to e-mail itself to every address in the Windows address book associated with Outlook Express every thirty minutes. It also tries to connect to several IRC servers and send data packets to the connected servers. This worm also listens to several UDP and TCP ports while your system is connected to the Internet and sends data packets to the ports. According to Mcafee, this could give the author the ability to use the connection as a remote access Trojan in order to get information such as the computer name, registered owner, organization, system root path, and Dial Up Networking usernames and passwords. 

This worm is much more difficult to get rid of than HAPPY99.EXE. Another function of the virus is to copy itself to FILES32.VXD in Windows\System folder. It then adds a registry entry that in essence will cause FILES32.VXD to run anytime an EXE file is run. This will give you an error message that will not allow you to run the program that you want to run. You cannot just delete the file and think that you will be done with it. Take another trip to <http://vil.mcafee.com> to get the correct procedure to remove the worm. If you do not make the trip and you try to get rid of the virus incorrectly, you will cause yourself many headaches. 

While I was writing this article, I received an e-mail from one of the lists that I subscribe to. The beginning of the message talks about how the author was in the middle of sending the message and he got a notice from one of his sources about a new virus that had been reported by the FBI on April 1 in the Houston area. This must be an omen of some sort to receive the message when I did. 

The name of the virus is W95/Firkin.worm or 911 SHARE VIRUS. The page with the info from the FBI is <http://www.nipc.gov/nipc/advis00-038.htm>. The page with the virus info from Mcafee is <http://vil.mcafee.com/dispVirus.asp?virus_k=98557>. From what I have read about it so far, it seems to be a very bad worm virus. You don’t have to run a file or even read an e-mail to get this one. The worm is propagated through open Windows shares that it finds and exploits through the Internet. After it has reproduced itself it will then use your computer modem to dial 911 and then proceed to erase your hard drive. 

The first thing you need to do to combat this virus is to check the drives in your computer to see if you are sharing them with anyone. If the icon has a little hand on the picture of the disk, then you are sharing the drive. If you are not connected to a network other that the Internet, you need to remove the share. To do this, right click on the drive letter and left click on properties. Click on the sharing tab and then check on the not shared button. This will remove the share from the drive. If your computer is connected to a network other than the Internet, then you need to check with you Network administrator before changing any setting. 

These are a few examples of why you need to be sure that you have the latest virus definitions installed on your system. We won’t even talk to the rest of you who feel like virus protection is not a necessity. There are a few very simple ways to be sure that you know when the definitions have been updated. 

The first is to manually go to the home page of your virus protection program and look for the link that points you to the updates. Download the file and install it on your system. This leaves you open to the chance that you will forget to check the page for the updates and therefore will not have the most current protection. 

Another way is to use your computer to check for the updates for you at predetermined times. For those of you that don’t want another program installed on your computer we will step through a relatively easy way to stay informed. The first time that your do the update you will need to manually find the page that the updates are on. The update page for Mcafee is <http://www.nai.com/asp_set/download/dats/superdat.asp>. If you have Mcafee, go to the page and add it as one of your Favorites. After it is added, right click on the shortcut and left click on properties. Click in the box to make the page available offline. This will bring up a schedule and download tab on the properties window. Schedule the link to be checked for updates at whatever interval you feel comfortable with. I have mine checked every day. Now click on the download tab and click on the box to have e-mail sent whenever there is a change to the page. Add your e-mail address and mail server name to the appropriate box and click on OK. You will be notified when there is a change to the page. Essentially this will tell you when there is a new dat file available so that you can download and install it. 

Mcafee also has a free service called SecureCast. This is a program that you install onto your system to take care of the searching for you. You can download the client and get more information at <http://download.mcafee.com/securecast/scast.asp>. You will be able to set the program up to provide you with notification of new virus definitions (dat files), and alerts about new viruses that are out in the wild of the Internet. The program runs as a tray icon and does not seem to command too much of your system resources. 

The next time you get an e-mail, even if you know who sent it, think about these examples. For those of you without protection, ask yourself, "Do I feel lucky?" I may seem to tout Mcafee a lot, but it is not enough to have virus protection on your system, it is imperative that you keep it current. As of the writing of this article, my system is being protected from 50498 viruses. Are you willing to take a chance?