- Virus is 32bit, with a size of 10,000 bytes
- Virus will attempt to patch WSOCK32.DLL
- When virus is first executed, it copies itself
to Windows\System as "Ska.exe" and then
writing a file "Ska.dll" to the same
- Virus then copies existing WSOCK32.DLL as WSOCK32.SKA
- Virus modifies the registry in order to load
at Windows startup -
Ska.exe = Ska.exe
- After a Windows restart, SKA.EXE patches WSOCK32.DLL,
which calls routines in SKA.DLL in order to monitor
sending emails via SMTP and posting news via NNTP.
- When virus is first executed, it copies itself to Windows\System as "Ska.exe" and then writing a file "Ska.dll" to the same folder
- When a user sends an email from an infected system
to someone, an additional email will be sent from
the infected system to the same recipient with an
attachment named "Happy99.exe".
- The virus adds the email address that received
the virus into a text file named "liste.ska".
- When a user sends a news post to USENET via NNTP,
this virus will send an additional post with an attachment
- Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option