You may not think that a virus, or virii (virus plural) has much place on a Diablo site, but there are many people that have been affected and infected. You and I play with these people everyday and its my desire to provide you with information about the two most common types of virii that affect us, the Diablo player. There are virtually thousands upon thousands of virii on the internet and more are created everyday by unscrupulous programmers and "hackers". Most of these virii we will never see, hear about or have to worry about. Currently there are 2 virii that are wreaking havoc with Diablo players. These are "CIH" and the "happy99.exe" virus.

"CIH"

The CIH virus goes by several names.  These include Win95/CIH, PE_CIH, CIHV, W32. SPACEFILLER CIH, and probably a few others. CIH virus infects Windows 95 and 98 EXE files. After an infected EXE is executed, the virus will stay in memory and will infect other programs as they are accessed. The CIH virus was first located in Taiwan in early June 1998.  After that, it has been confirmed to be in the wild in at least France, Germany, The Netherlands, Sweden, China, Israel, Chile and Australia. CIH has been spreading very quickly as it has been distributed through pirated software. It seems that at least four underground pirate software groups got infected with the CIH virus, and they inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but Data Fellows has been unable to confirm this. What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups. However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogrammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off. The CIH virus infects Windows executable files (EXE files). It does not infect Word or Excel documents. CIH works under both Windows 95 and Windows 98, but it does not work under Windows NT. CIH uses a peculiar way of infecting executables. As a result, the size of the infected files does not grow at all. The actual size of the virus code is around 1 kB. The virus also employs advanced tricks in jumping from processor ring 3 to ring 0 in order to hook file system calls.

There are three known closely-related variants:

CIH v1.2: Activates on April 26th. Contains this text: CIH v1.2 TTIT

CIH v1.3: Activates on June 26th. Contains this text: CIH v1.3 TTIT

CIH v1.4; Activates on 26th of every month. Contains this text: CIH v1.4 TATUNG

Protecting yourself

If you have a virus scanner, ensure you have the most recent virus signatures (patterns).  These are available from the virus scanner manufacturer and are usually available to download free of charge.  Run a complete scan on all of your drives to make sure there isn't already a copy of the virus on your system.  The following virus scanners are able to detect and remove the CIH virus:

F-Secure Anti-Virus
Norton AntiVirus Command Line Scanner
McAfee VirusScan

Other scanners may be able to detect/remove the CIH virus but either their websites didn't have specific information or were not researched by VVM.  

2.  Keep yourself posted on the latest virus information.  As the virus spreads, so will news about it - and how to prevent your system from being infected by it.

3.  Never download anything from a source that is not considered trustworthy.  Avoid fly-by-night websites that offer software downloads.  Stay away from warez (pirated and/or cracked software).  If you receive an executable file from a friend, consider obtaining it from a different, reliable source if one is available.  This is not to suggest that your friends aren't reliable, but they may not know they are sending you a virus.  If there is no other source available, run a virus scan on the file.   Keep an eye on your system.  If it starts acting up, run a virus scan immediately.  Never rule out a virus!

CIH information obtained from VVM Internet services at http://www.VVM.com

"Happy99.exe"

Happy99.exe also goes by the aliases of Happy99, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA. Win32/Ska.A is a Win32-based e-mail and newsgroup worm. It displays fireworks when executed first time as Happy99.exe. (Normally this file arrives as an e-mail attachment to a particular PC, or it is downloaded from a newsgroup.) When the Happy99.exe file has been executed, every e-mail and newsgroup posting sent from the machine will cause a second message to be sent. This will contain the same sender and recipient information but contains no text, just the Happy99.exe file itself as an attachment. Since people will usually receive Happy99.exe from someone they know (as you normally get e-mail from someone you know), people tend to trust this attachment, and run it. When executed first time, it creates SKA.EXE and SKA.DLL in the system directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE. After this Ska creates a copy of WSOCK32.DLL as WSOCK32.SKA in the system directory. Then it tries to patch WSOCK32.DLL so that its export entries for two functions will point to new routines (to the worm's own functions) inside the patched WSOCK32.DLL. If WSOCK32.DLL is in use, Ska.A modifies the registry's RunOnce entry to execute SKA.EXE during next boot-up. (When executed as SKA.EXE it does not display the firework, just tries to patch WSOCK32.DLL until it is not used.) "Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able to see if the local user has any activity on network. When "Connect" or "Send" APIs are called, Ska loads its SKA.DLL containing two exports: "news" and "mail". Then it spams itself to the same newsgroups or same e-mail addresses where the user was posting or mailing to. It maps SKA.EXE to memory and converts it to uuencoded format and mails an additional e-mail or newsgroup post with the same header information as the original message but containing no text but just an attachment called Happy99.exe. Therefore Happy99 is not limited like the Win32/Parvo virus which is unable to use a particular news server when the user does not have access to it. The worm also maintains a list of addresses it has posted a copy of itself. This is stored in a file called LISTE.SKA. (The number of entries are limited in this file.)

The worm contains the following encrytped text which is not displayed:

"Is it a virus, a worm, a trojan?
MOUT-MOUT Hybrid (c) Spanska 1999.

The mail header of the manipulated mails will contain a new field called "X-Spanska: YES". Normally this header field is not visible to receivers of the message. Since the worm does not check WSOCK32.DLL's attribute, it can not patch it if it is set to read only. Please note that after disinfection of this worm you will have to rename WSOCK32.SKA back to WSOCK32.DLL in \WINDOWS\SYSTEM folder to restore all original Winsock internet capabilities.

Happy99 information was compiled from Data Fellows at http://www.data-fellows.com

Removing Happy99.exe from your system

The only really good news about Happy99 is that you can remove it from your system without a lot of hassle. Follow these directions and you should be virus free in no time.  Steps marked OPTIONAL are not absolutely necessary and are completely safe to skip if you want to.

1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode" then click Yes.

2. At the DOS prompt, type this exactly and press enter at the end of each line:

CD\WINDOWS\SYSTEM

Thereafter your DOS prompt should say: C:\WINDOWS\SYSTEM>

If your Windows folder is not called WINDOWS, then substitute the name of your Windows folder instead, for example:

CD\WIN95\SYSTEM

3. Delete SKA.EXE and SKA.DLL by typing:

DEL SKA.EXE DEL SKA.DLL

If you get "File not Found" you are either not infected or in the wrong directory.  Make sure you are in your Windows System directory. Check to see if you followed step 2 correctly.

4. Copy WSOCK32.SKA to WSOCK32.DLL by typing:

COPY WSOCK32.SKA WSOCK32.DLL

Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL The reason for this is because WSOCK32.SKA is a backup of the orginal WSOCK32.DLL made by the virus. You are replacing the modified DLL with the original.

5. OPTIONAL STEP FOLLOWS...

Delete WSOCK32.SKA by typing

DEL WSOCK32.SKA

You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL

6. Return to Windows by typing:

EXIT

7. OPTIONAL STEP FOLLOWS...

Click Start Button, then Run, then type regedit in the text box then click OK.  Now, click the following in order:

HKEY_LOCAL_MACHINE

then Software

then Microsoft

thenWindows

then Current Version

Under RunOnce, check for SKA.EXE and select it if is there.

Press delete and then click Yes.

Close Regedit

Don't change anything else without making a backup of the registry first!!

If you don't find SKA.EXE in the registry, it doesnt mean youre not infected.  SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it.

8. OPTIONAL STEP FOLLOWS...

Choose Start then Programs, then Accessories, then Notepad, then choose File. Open and type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box.

Warn the people on this list and then delete LISTE.SKA

Stalker