MENU

Virus stuff
 

ICQ
 

Free stuff
 

BOOKS
.

Y2K
 

Search Engines
.

Subject: Virus- Happy99.worm

Virus Name: Happy99.Worm

  

Aliases:

Trojan.Happy99

 

 I-Worm.Happy

Likelihood:

 Very Common

Characteristics:

 Trojan Horse, Worm

Region reported

 World wide

Description: This is a worm program, NOT a virus. This program has been received through e-mail spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the e-mail or article attachment. I have seen this program and appears to be very common, and while does no serious damage it will attach itself to all your E-mail's and all your friends will get it so it should be removed.

When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL lets the worm routine to be triggered when a connect or send activity(i.e.. E-mail)is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new e-mail or a new article with UUENCODED HAPPY99.EXE inserted into the e-mail or article. It then sends this e-mail or posts this article.

 

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.

Removing the worm manually:

  1. Delete WINDOWS\SYSTEM\SKA.EXE
  2. Delete WINDOWS\SYSTEM\SKA.DLL
  3. In WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
  4. In WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
  5. Delete the downloaded file, usually named HAPPY99.EXE

Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e. through dial-up or LAN connection).

If you are using dial-up connection (i.e. America Online), you need to do the following:

  1. Terminate Internet connection
  2. Delete WINDOWS\SYSTEM\SKA.EXE
  3. Delete WINDOWS\SYSTEM\SKA.DLL
  4. In WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
  5. In WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
  6. Delete the downloaded file, usually named HAPPY99.EXE

If you are connected to Internet through LAN (i.e. in the office or cable modem), you need to do the following

  1. From the Start menu, select shutdown-restart in MS DOS mode
  2. Type CD \windows\system when DOS prompt (C:\)appears
  3. Type RENAME WSOCK32.DLL WSOCK32.BAK
  4. Type RENAME WSOCK32.SKA WSOCK32.DLL
  5. Type DEL SKA.EXE
  6. Type DEL SKA.DLL

    There is a free trail that will also take carw of this past at Data Fellows

Safe Computing:

This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an e-mail or a newsgroup articles from an unreliable source.

 

Text Link

Free JavaScripts provided
by The JavaScript Source