Solved

SKA Virus

Posted on 2002-03-14
7
217 Views
Last Modified: 2013-12-28
My wsock32.dll file has become infected with a virus. I detected this when I ran McAfee virus scanner. I downloaded instructions from the McAfee home site and the instructions tell me to rename wsock32.ska to wsock32.dll, but when I go to DOS and give the command to rename, I get the message duplicate file or file in use and will not rename. In explorer, under windows/system folder, I find the wsock32.ska file, but not the wsock32.dll file. I have tried to rename there with the same results.

When I run my virus scan and the ska virus is detected, I cannot clean or delete. If I cannot do any of the things above, what is the definitive answer?
0
Comment
Question by:shirshoo
7 Comments
 
LVL 1

Accepted Solution

by:
Jeffh earned 300 total points
Comment Utility
0
 
LVL 16

Expert Comment

by:Kyle Schroeder
Comment Utility
From Microsoft:
To resolve this issue:
 
1. Restart your computer. Press and hold down the CTRL key until you see the
  Windows 98 Startup menu (for Windows 95, press F8 when you see "Starting
  Windows 95"), and then choose Safe Mode Command Prompt Only.
 
2. Type the following commands, pressing ENTER after each command:
 
  cd windows\system
  copy liste.ska c:\windows\desktop\liste.txt
  del ska.dll
  del ska.exe
  ren wsock32.dll wsock32.old
  copy wsock32.ska wsock32.dll
 
3. Restart your computer normally.
 
NOTE: If Happy99.exe is run more than once on a computer, the Wsock32.ska file
also carries the virus payload. In these instances, you must extract a "clean"
copy of the Wsock32.dll file again.
 
MORE INFORMATION
================
 
Happy99.exe is a 32-bit Windows-based Trojan Horse virus. When you run this
program, it displays fireworks on the screen. It also creates two files named
Ska.exe and Ska.dll, copies your original Wsock32.dll file to Wsock32.ska, and
modifies the Wsock32.dll file.
 
The Wsock32.dll file cannot be modified if it is in use. If the Wsock32.dll file
is in use when you run the Happy99.exe program, it adds an entry to the registry
that runs Ska.exe the next time the computer is started, and then modifies the
Wsock32.dll file. The modified Wsock32.dll file detects when e-mail messages and
newsgroup postings are sent, and sends a copy of the Ska.exe file, named
Happy99.exe, in those messages. All e-mail addresses that are sent a copy of the
file are recorded in the Liste.ska file in the Windows\System folder. The
Liste.ska file is a text file, and you can view it by using any text editor
(such as Notepad).
---------------------------------------
The wsock32.ska is a backup of the "real" wsock32.dll.  The reason you can't see wsock32.dll in Explorer is because it is a hidden file.  As stated above, if the virus is executed twice, then the wsock32.ska is also infected.  In this case you'll need to extract a new one.

Start->Run->sfc
Now choose to extract a file, type in wsock32.dll.  Save it to c:\ (root directory).

Then boot to DOS mode, and type the following commands:

cd windows\system
ren wsock32.dll wsock32.vir
ren wsock32.ska wsock32.bad
copy c:\wsock32.dll .  (that is one period ".")
del ska.dll
del ska.exe

Then restart and the SKA virus should be gone.  Run a full VirusScan again to make sure.  Also be sure you have the latest DAT files incase you have a Happy99 (Ska) variant.

-dog*
0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
If it can't find the wsock32.dll
it may be hidden
use the attrib command (from a dos prompt, booted to dos)
cd\c:\windows\system
attrib -h -s -r wsock32.dll
del wsock32.dll
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 12

Expert Comment

by:pjknibbs
Comment Utility
Files with the DLL extension are hidden by default in Explorer, no matter what their actual hidden status is--you need to look at the options for the Explorer window and set them to "Show all files" rather than "hide hidden and system files".
0
 

Author Comment

by:shirshoo
Comment Utility
Jeff responded promptly with his answer, and refered me to a Symantec page with a program for removing the virus. I downloaded the program and removing the virus was simple and quick. I have also sent this program to persons that I may have infected with the virus too.

Thank you so much for your solution to my problem.

Bob
0
 

Author Comment

by:shirshoo
Comment Utility
Jeff responded promptly with his answer, and refered me to a Symantec page with a program for removing the virus. I downloaded the program and removing the virus was simple and quick. I have also sent this program to persons that I may have infected with the virus too.

Thank you so much for your solution to my problem.

Bob
0
 

Author Comment

by:shirshoo
Comment Utility
Jeff responded promptly with his answer, and refered me to a Symantec page with a program for removing the virus. I downloaded the program and removing the virus was simple and quick. I have also sent this program to persons that I may have infected with the virus too.

Thank you so much for your solution to my problem.

Bob
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now