[311] in winnt
Re: Happy99
daemon@ATHENA.MIT.EDU (Bil Huxley)
Fri Feb 19 06:57:18 1999
Date: Fri, 19 Feb 99 06:40:21 EST
From: Bil Huxley <HUXLEY@mitvmc.mit.edu>
To: Gerald I Isaacson <gii@MIT.EDU>, MITVIRUS@mitvma.mit.edu
Cc: itpartners@MIT.EDU, ntpartners@MIT.EDU
In-Reply-To: Message of Thu, 18 Feb 1999 19:52:24 EST from <gii@MIT.EDU>
Hi All,
In reaction to this information, I wanted to know what version no.
update I had installed when I ran the 'update' process a few days
ago. After poking around a bit I found that there is a log
file named "Update Upgrade Activity Log.txt" that the update
process created on this Win95 machine within:
'C:\Program Files\Network Associates\McAfee VirusScan'
which tells me that on 16-Feb (yes, only two days prior to this
Happy99 report) update 4009 was applied by the update process.
I initially thought that sharing how one could determine what level
a given installation was at would be useful info to share with
everyone. However, now that I see that Network Associates has
spanned (I presume) 5 update versions (assuming they are numbered
consecutively 4009 at 6:48 PM 16-Feb though 4013 by 7:52 PM 18-Feb)
in less than 49 hours; I find myself wondering what the recommendations
are for running this 'update' process...
Gerry: would you advise at least once a month plus in reaction
to communications such as last nights Happy99 message?
Thanks,
Bil
On Thu, 18 Feb 1999 19:52:24 EST you said:
>The happy99 trojan/worm is very active on campus. Besides the 3
>infections below, it has been reported 4 other times, and this problem
>seems to have appeared for the first time anywhere in early February.
>
>Viruscan 4.02 with the LATEST update (4013) will detect it. For your
>information, I have appended a report from one department on their
>disinfection process.
>
>Please download and install the update, it only takes a few minutes
>and does not require a reinstall like Dr Solomon used to.
>------- Forwarded Message
>
>Subject: HAPPY99.EXE
>
>
>Gerry,
>
>
>I had three people infected with the Happy99.exe virus. Only one person sent
>em
>ail after executing it. We have informed them about it, as well as informing
>th
>e department not to execute it if they receive it.
>
>
>For the three infected machines, I was able to install the virus software and
>cl
>ean the disks. Just for your information, I did the following:
>
>
>- - Remove Dr. Solomon Scheduler from start up menu.
>
>- - Disable Winguard
>
>- - Reboot System
>
>- - Uninstall Dr. Solomon
>
>- - Install McAfee Virus Scan
>
>- - Install Service Pack 1
>[Note: if you already have Viruscan installed you can start here. -- jerry]
>- - Install 4013 Updates
>
>- - Reboot System
>[Note; these are the infected files -- jerry]
>- - Scan disks
>
> - delete ska.exe
>
> - delete wsock32.ska
>
> - delete wsock32.dll
>
> - delete happy99.exe
>
>- - Copy wsock32.dll from Windows 95 CD
>
>- - Reboot System
>
>
>It took a little while, but it worked.
>
>
>Thanks for your input...
>
>
>I will be installing McAfee on all machines in the department....
>
>
>------- End of Forwarded Message
