HAPPY99 WORM SPREADING ON THE NET
CyberSpace, Feb 28, 1999 - If the graphics image on the left is familiar to you, your computer may have been infected by the HAPPY99 Worm that is spreading on the Net like a wildfire. A keyword search for the word "HAPPY99" in the DejaNews Discussion Network resulted in 140,000 messages posted in various Internet newsgroups about this topic in the last month and a half.
You will know that you have contacted this worm when people you communicate via e-mail or a newsgroup start calling you to ask why you are sending them the file "HAPPY99.EXE" and you are absolutely sure that you did not.
The HAPPY99 worm originated in Europe in the middle of January and is now becoming a nightmare to a lot of network administrators worldwide. It is sent as a file attachment to an e-mail or a newsgroup posting that is usually called "HAPPY99.EXE". However, since people forwarding this file can rename it to something else, it can be passed on to you under a totally different filename.
When you open the attachment file, you will be entertained with a splendid display of fireworks similar to the image above. What you don't see while the fireworks display are going on are the nasty things this program does in the background. It makes changes to your Windows registry and your "WSOCK32.DLL" file, a file that is needed when you connect your computer to the Internet. The worm is harmless and will not do any damage to your system other than to annoy people whom you are sending e-mails and newsgroup articles. The next time you send an e-mail or post an article in a newsgroup, your e-mail or newsreader program will send a second e-mail or article, without your knowledge, to the same recipients with the HAPPY99.EXE file attached to it.
The worm is not really "mean". It keeps track of the e-mail addresses of the people that it has already sent the HAPPY99.EXE file (in a file called "liste.ska") and won't send it again to these people the next time you send them an e-mail. It even keeps a backup copy of your original "wsock32.dll" file (in a file called "wsock32.ska") before it infects that file so that when you finally discover its existence, you can simply delete the infected file and rename the "wsock32.ska" backup file.
If you have not caught the HAPPY99 worm yet, you should excercise caution when you see an e-mail that has a file attachment to it. If you do not have an anti-virus program (or if you have not updated the virus signatures of your anti-virus program since the beginning of this month), play safe and delete any file attachments to the e-mail. Do not OPEN, VIEW or EXECUTE them as doing so will activate the virus or worm in that file. Remember, you can not catch a virus by simply reading an e-mail- the only way you can get a virus is if you attempt to open the file attachments in your e-mails. If you haven't done yet, you should get yourself an ANTI-VIRUS program. Please read the article COMPUTER VIRUS ON THE NET at http://www.msc.edu.ph/wired/netspeak-3.html for more information about viruses.
As an added protection, you may want to make your file "wsock32.dll" read-only. The HAPPY99 worm is reported to have failed infecting this file if it is set to read-only mode. You can change the mode of this file using the Windows Explorer or though a DOS prompt by issuing this command:
ATTRIB +R C:\WINDOWS\SYSTEM\WSOCK32.DLL
If you don't have an anti-virus program, one way you can check if your computer is infected by this worm is to do a search for the files "ska.exe" and "ska.dll" in your \windows\system folder. If these two files exist, chances are your system is infected.
If your system is already infected by the HAPPY99 worm, some anti-virus program will detect the worm but will not remove it. You must manually remove it by doing the following (WARNING: Perform these procedures at your own risk! Expert guidance is strongly recommended. If you don't fully understand the process you may end up with a lost Internet connectivity or a malfunctioning Windows 95 system).
1. Click Start, Shut Down, Restart Computer in MS-DOS mode.
2. At the DOS prompt type this command and press enter at the end of each line:
Your DOS prompt should say: C:\WINDOWS\SYSTEM
(If your Windows folder is not called WINDOWS, substitute the name of your Windows folder instead, for example: CD \WIN95\SYSTEM)
3. Delete SKA.EXE and SKA.DLL by typing
If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.
4. Copy WSOCK32.SKA to WSOCK32.DLL by typing
COPY WSOCK32.SKA WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
(WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the virus. You are replacing the modified DLL with the original)
5. Delete WSOCK32.SKA by typing
6. Return to Windows by typing EXIT
7. [Optional] Click Start Button, Run,
Type "regedit" without the quotes in the text box. Click OK.
Click the following in order:
Under RunOnce check for SKA.EXE and select it if it is there.
Press delete and then click Yes.
Don't change anything else without making a backup of the registry first. If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it.
For more information about the HAPPY99 virus, check the following sites:
Network Associates - http://beta.nai.com/public/datafiles/valerts/vinfo/w32ska.asp
Central Command- http://www.avp.com/happy/happy.html
Data Fellows- http://www.datafellows.com/news/pr/eng/19990129.htm
Proland Software- http://www.pspl.com/trojan_info/win32/happy99.htm
MSNBC - http://www.msnbc.com/news/235662.asp#BODY
Reported by: Rey Carolino
© Copyright, 1999 by PHILIPPINE
HEADLINE NEWS ONLINE
All rights reserved
Back to the PHILIPPINE HEADLINE NEWS ONLINE HomePage