| Likelihood: | Common |
|---|---|
| Areas Reported: | World-wide |
| Characteristics: | A Worm; think: Trojan virus |
| Good News: | Usually NOT harmful as long as you do NOT panic! |
Description:
Although, technically, this infection is called a worm
program, most people will probably refer to it as a virus. Since it does
make a change to one of your files, calling it a virus is a reasonable
alternative in my opinion. This program became widespread through mass
emails (spamming) and USENET newsgroup postings, and is now being passed
along by individual emails from infected computers.
The worm
enters your computer as a file attachment in an email or article sent
to you. Most likely this attachment will be called HAPPY99.EXE.
When executed, the program opens a window entitled
"Happy New Year 1999 !!" showing a fireworks display to
mask its real purpose. If you did execute this worm program, you would have
seen a window similar to this:
The program copies itself as SKA.EXE and extracts a DLL file from the original EXE, called SKA.DLL, into your WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in the WINDOWS\SYSTEM directory, but does make a copy of the original WSOCK32.DLL file as WSOCK32.SKA in the same directory.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The worm's modification of WSOCK32.DLL allows it to be triggered whenever a connect or send activity is detected. When this online activity occurs, the modified code loads and executes the worm's SKA.DLL file. This file creates a new email message or news article with the original UUENCODED HAPPY99.EXE attached to it. It then sends this email msg. or posts the infected article to whomever you sent email or the newsgroup you posted an article to!
The worm keeps a list of email addresses that it has sent HAPPY99.EXE to. This can be found in a file called "LISTE.SKA" which you can read with any text editing program such as NOTEPAD.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e., you are
already online), the worm adds an entry to your Registry file:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
This Registry entry causes the worm to be executed the next time you start
Windows.
If you have been infected, the good news is that this virus is generally not harmful in any way to your programs or data so don't panic! Simply stop sending people email (receiving it is OK) until you have removed the virus.
If you don't know how to carry out the procedures below, you can download an excellent little program that will remove the worm and list the email addresses of people you may wish to inform about it from this site ( here) right now:
http://www.pchell.com/internet/happy99.shtml.)
Even if you use Craig's program, you should still read the last paragraph of this page about Practicing SAFE Computing.
How To Remove the Happy99 Worm:
( Without any anti-virus software )
First, make sure that you READ the NOTES section after this procedure
BEFORE attempting to execute any of these steps!- DELETE: WINDOWS\SYSTEM\SKA.EXE
- Determining the CREATION DATE of the file WINDOWS\SYSTEM\SKA.DLL, will tell you how long your computer has been infected with this worm! (You should RIGHT click on the filename and select the item "Properties" from the menu.) After noting its creation date, DELETE: WINDOWS\SYSTEM\SKA.DLL
- In your WINDOWS\SYSTEM\ directory, RENAME: WSOCK32.DLL to WSOCK32.99
- In the same directory, RENAME: WSOCK32.SKA to WSOCK32.DLL
- Finally, DELETE: the Happy99 WORM file itself, which is usually named HAPPY99.EXE. You may need to use the Windows START menu's Find > Files to help you locate this program.
- Try to recall which email message contained the Happy99 worm, and note the name of the sending party when you find it. Delete the message.
- Inform the party whose computer sent you the worm(!) that they are infected! You should also make some effort to warn anyone that you sent email to since then, that they may have become infected as well.
NOTES:
Windows will prevent you from carrying out steps #3 and #4 above if your computer is still "online," because the file "windows\system\wsock32.dll" is used whenever your machine is connected to Internet (through either a dial-up or LAN connection).
IF you are using dial-up connection, i.e., an ISP ( Internet Service Provider, such as America Online, Prodigy, MSN or some local ISP in your area), you need to do the following:
- Terminate your Internet connection, then:
- Return to the procedure listed above. Note: In some rare cases, after you terminate the Net connection, your computer may still not allow you to rename the WSOCK32.DLL file. If this happens, follow the procedure for a LAN connection below.
IF you are connected to Internet through a LAN (i.e., in an office or through a cable modem), you need to do the following:
- From the START menu, select "Shutdown" AND THEN click on "Restart the computer in MS-DOS mode" BEFORE clicking on the "YES" button.
- WHEN the DOS prompt ( C:\> ) appears, type:
cd \windows\system THEN press the <ENTER> key. - You should then be at your WINDOWS\SYSTEM> prompt.
- Type: rename WSOCK32.DLL WSOCK32.99 <ENTER>
- Type: rename WSOCK32.SKA WSOCK32.DLL <ENTER>
- Type: del SKA.EXE <ENTER>
- Type: del SKA.DLL <ENTER>
- Restart your computer, then carry out steps #5 and following
of the main procedure above.
Practice SAFE Computing:
This worm and other trojan-horse type programs demonstrate the
need to practice "safe computing." You shouldn't run any
executable file attachment: .COM, .BAT, .EXE, .SHS, .DOC (MS-Word), or .XL*
(MS-Excel), nor use any script files for controlling another program that
come in an email or a newsgroup article from an untrusted source.
(Note: Your source should be
knowledgeable enough to reasonably assure you that the file is NOT infected.)
For further study on how to avoid most infections, see my webpage:
How to Keep Viruses and Trojans out of your
Computer. [Link may no longer exist!]
Edited by: The Starman, April 28, 1999.