Scouts-L Mail Archive for February of 1999: How to deal with HAPPY99.EXE!
How to deal with HAPPY99.EXE!
Bob & Lorrie Dewar
Fri, 26 Feb 1999 12:09:52 -0600
What follows is the description of a 'worm' (virus) program, named
HAPPY99.EXE, that is traveling the 'web' these days. Also included are the
directions for finding out if your computer is infected and how to remove
it. This information is from Symantec's Norton Anti-Virus web sight.
This virus is not known to cause troubles with the operation of any computer
that has it, but it does 'read' your e-mail send outs and causes a second
e-mail with the same address and header, but with a copy of the virus as the
body of the message. It is a simple procedure to find out if you have it,
and also easy to rid yourself of it.
Scoutmaster Troop 329
Southeast Wisconsin Council
(following from Symantec)
Aliases: Trojan.Happy99, I-Worm.Happy
Region Reported: US, Europe
Keys: Trojan Horse, Worm
This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy New
Year 1999 !!" showing a firework display to disguise its other actions. The
program copies itself as SKA.EXE and extracts a DLL that it carries as
SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when a
connect or send activity is detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
a new article with UUENCODED HAPPY99.EXE inserted into the email or article.
It then sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
delete the downloaded file, usually named HAPPY99.EXE
This worm and other trojan-horse type programs demonstrate the need to
practice safe computing. One should not execute any executable-file
attachment (i.e. EXE, SHS, MS Word or MS Excel file) that comes from an
email or a newsgroup article from an unknown or a untrusted source.
Norton AntiVirus users can protect themselves from this worm by downloading
the virus definitions updates released on Jan 28, 1999 or later either
through LiveUpdate or from the following webpage:
Write-up by: Raul K. Elnitiarta (For Symantec's Anti-Virus Center)
January 28, 1999