TROJAN VIRUS INFORMATION
Introduction
Recently a lot of internet users have encounted a new style of virus known as a Trojan. This document is intended to explain what a Trojan is, what it can do to your computer, how to prevent infection and also what steps you can take if your computer becomes infected with one of these programs. For up to date information about new Trojans in circulation see the Related Links section at the end of this document.
What are Trojans?
A Trojan (or Trojan Horse) is a program that while appearing to be innocent, and possibly useful, contains hidden functions that can compromise the security on your computer.
Trojans can do anything that a user sitting in front of that computer can do, this includes:
- Deleting files on the system
- Sending any information that can be read by the user to an unknown party
- Modify any files on the hard drive
- Install other programs, including viruses and more Trojans
- Exploit any weaknesses within the Operating System.
If your computer is on a network, then the Trojan may also have access to the other machines on that network.
How do they infect your computer?
Trojans are normally installed on to your computer by tricking you into thinking the program is something else. The Trojan may arrive as an attachment in an email and describe itself as a game or as an upgrade to a program which you currently use. In order for the Trojan to be activated, the user must run or execute the attached program.
The Trojan may be hidden inside another program and could be innnocently downloaded and installed from a software distribution site on the World Wide Web.
It is also possible that the Trojan could be embedded within a Java applet or Active X Control on a web page.
Examples of Trojans
Happy99 is the latest Trojan doing the rounds on the Internet. If you run this program you are treated to a graphical firework display, however after this every email and newsgroup message you send will include the Trojan thus helping to spread it to other users.
Back Orifice and Netbus are both very similar. These allow an intruder to control the users computer. The intruder can close windows, open and close the CD tray and control error messages and the mouse amongst other things. What is disturbing is the fact that everything typed on the computer can be viewed by the intruder. The intruder has the capability to read every email you write and every IRC message you send, for example.
It has also been reported that false Microsoft security patches are being sent to users via email. Microsoft never send software as email attachments, the only way you obtain legitimate Microsoft patches is from their web site.
How to prevent infection
- Do not execute or run any files sent to you as attachments in unsolicitated email.
- Always have Anti-Virus software running on your computer and ensure you are running the latest virus definition file for the software.
- Even if you know the sender, scan all files which are sent to you with Anti-Virus software before running any executables.
- Use caution when downloading from the Internet, avoid Warez and Porn sites and only download files from reputable shareware web sites.
- Educate anyone else who uses your computer about the dangers of downloading unknown software.
- Create an Emergency Disk for your computer so if the system is compromised you can boot up a clean Operating System.
- Exercise caution when running Java applets and Active X controls on Web pages, you may like to consider disabling the execution of these files within your web browser.
- Only install software which is from a source which you trust (but still scan it with your Anti-Virus software)
- Stay informed about security issues related to your computer. For example, you can get information about Microsoft security updates from their web site
- Keep a backup copy of any important information or files on your computer
How to tell if a Trojan is running on your Computer
Sometimes you may not be aware that you have installed and run a Trojan on your system. A few tell tale signs to look our for which could indicate a Trojan is running on your system are:
- Have you installed any software from an unknown source?
- Have you executed a file that was sent as an attachment with an unsolicitated email?
- Have strange things started happening on your computer without any input from the user?
- Do your emails and newsgroup postings now have a file attachment sent with them?
- Does the modem appear to be receiving and transmitting a large amount of data with no action from the user?
Steps to take if your computer is infected with a Trojan
- Firstly scan your hard drives using your Anti-Virus software with the latest virus definition files. Some Trojans can be detected and removed this way.
- If your Anti-Virus software does not detect the Trojan then check the links below to see if a solution exists to remove the Trojan.
- If both the first two options fail then your only option is to re-install your Operating System
How to Remove Happy99 Worm
This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
- delete WINDOWS\SYSTEM\SKA.EXE
- delete WINDOWS\SYSTEM\SKA.DLL
- replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
- delete the downloaded file, usually named HAPPY99.EXE
- LISTE.SKA contains a list of all the persons that you have forwarded the virus onto.
If "access denied" message appears when trying to rename wsock32.dll then restart in dos and
rename from there Click here for more info
Links to Anti-Virus software
Other useful related links