M Brial was, in fairness, probably quite unaware that he sent an attachment
in to the list, since the Happy 99 file creates "ghost messages" and
attaches itself to them. If you opened the file, your system is almost
certainly contaminated. The good news is that it's relatively easy to deal
with. Here's all the info :
VirusName:
Happy99.Worm
Aliases:
Trojan.Happy99, IWorm.Happy
Likelihood:
Common
Region Reported:
US, Europe
Keys:
Trojan Horse, Worm
Description: This is a worm program, NOT a virus. This program has
reportedly been received through email spamming and USENET newsgroup
posting. The file is usually named HAPPY99.EXE in the email or article
attachment.
When being executed, the program also opens a window entitled
"Happy New Year 1999 !!" showing a firework display to disguise its other
actions. The program copies itself as SKA.EXE and extracts a DLL that it
carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL
into WSOCK32.SKA. WSOCK32.DLL handles internetconnectivity in Windows 95 and
98.The modification to WSOCK32.DLL allows the worm routine to be triggered
when a
connect or send activity is detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
a new article with UUENCODED HAPPY99.EXE inserted into the email or article.
It then sends this email or posts this article. If WSOCK32.DLL is in use
when the worm tries to modify it (i.e. a user is online), the worm adds a
registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.delete WINDOWS\SYSTEM\WSOCK32.SKA
4.delete the downloaded file, usually named
HAPPY99.EXE
Safe Computing: This worm and other trojanhorse type
programs demonstrate the need to practice safe computing. One should not
execute any executablefile attachment (i.e. EXE, SHS, MS Word or MS Excel
file)that comes from an email or a newsgroup article from an unknown or a
untrusted source. Norton AntiVirus users can protect themselves from this
worm by downloading the virus definitions updates released on Jan 28, 1999
or later either through LiveUpdate or from the following webpage:
GOTOBUTTON BM_1_
http://www.symantec.com/avcenter/download.html
Writeup by: Raul K. Elnitiarta January 28, 1999
Received on Sat 13 Mar 1999 - 17:21:22 IST
![[Email]](../../../pics/mail.png "Send mail"){kind=small}
![[Members]](../../../pics/monalisa.png "Member list"){kind=small}
![[Photos]](../../../pics/camera.png "Photos"){kind=small}
![[Archive]](../../../pics/reports.png "Browse archive"){kind=small}
![[Search]](../../../pics/search_doc.png "Search archive"){kind=small}
![[FAQ]](../../../pics/question.png "Frequently asked questions"){kind=small}
![[Passwd]](../../../pics/key.png "Get a password"){kind=small}
![[private]](../../../pics/door2_anim.gif "private area"){kind=small}
JV.Gilead.org.il