What to do about the Happy99 Virus (worm)

The scourge of Happy99

Strictly speaking the Happy99 virus is not a virus but a worm or Trojan Horse. If someone sends you a copy, then, provided you do not execute the file, you will be safe from infection. Just delete the mail message to which it is attached.

The person who sent it to you will, in all probability, not know that have sent it and so you should inform them, without making them feel too guilty. They may be sharing a computer with work colleagues or at a college or using a public-access point - and may not have been the one to execute the program. But they need to know so that they or their technical personel can clean up their computer.

When being executed, the program opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows starts.

How to remove the worm manually

Disconnect from the Internet
Start up the computer in DOS mode
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
delete the downloaded file, usually named HAPPY99.EXE

Additional information can be found at
http://www.symantec.com/avcenter/venc/data/happy99.worm.html

For an objective view, you can also read the article by David Chess at
http://www.av.ibm.com/BreakingNews/VirusAlert/Happy/

Feedback and suggestions will be welcome.
Send all comments by email to netmiser@cryogen.com

Return to index page

Last updated: 3rd May 1999.
counter