Win32/Ska.a is a Win32-based worm. It displays fireworks when executed the first time as HAPPY.EXE. (Normally this file arrives as an e-mail attachment to a particular PC, or it is downloaded from a newsgroup.)

When executed the first time, it creates SKA.EXE and SKA.DLL in the system directory. SKA.EXE is a copy of HAPPY99.EXE. SKA.DLL is packed inside SKA.EXE. After this Win32/Ska.a creates a copy of WSOCK32.DLL as WSOCK32.SKA in the system directory. The virus then it tries to patch WSOCK32.DLL so that its export entries for two functions will point to new
routines (to the worm's own functions) inside the patched WSOCK32.DLL. If WSOCK32.DLL is in use, Win32/Ska.a modifies the registry's RunOnce entry to execute SKA.EXE during next boot-up. (When executed as SKA.EXE it does not display the firework, just tries to patch WSOCK32.DLL until it is not used.)

"Connect" and "Send" exports are patched in WSOCK32.DLL. Thus the worm is able to see if the local user has any activity on the network. When "Connect" or "Send" APIs are called, Win32/Ska.a loads its SKA.DLL containing two exports: "news" and "mail".

The virus then spams itself to the same newsgroups or same e-mail addresses that the user was posting or mailing to. It maps SKA.EXE into memory and converts it to UUencoded format and manipulates the mail buffer to contain this UUencoded attachment as HAPPY99.EXE.

The virus is not limited like Win32/Parvo which is unable to use a particular news server when the user does not have access to it. The worm also maintains a list of addresses it has posted a copy of itself to. This is stored in a file called LISTE.SKA. (The number of entries are limited in this file.)

The worm contains the following encrypted text which is not displayed:

Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999.

The mail header of the manipulated mails will contain a new field called X-Spanska: YES

Since the worm does not check WSOCK32.DLL's attribute, it cannot patch it if it is set to read only.