Happ99.exe Virus Info
Phil Davis (pdavis@ix.netcom.com)
Thu, 13 May 1999 23:01:07 -0400
Sorry to get technical .. but we don't want this running around MD_Osprey.
All you ever wanted to know is below.
Do not open the attachment on the message send earlier this evening.
Phil
Removing HAPPY99.EXE Virus/Worm
There is a worm being passed around the internet recently. It is called
HAPPY NEW YEAR 99.
It will come as a duplicate email from someone. The second copy of the
email will contain an
attachment called HAPPY99.EXE. If you get one of these DO NOT OPEN HAPPY99.EXE.
DELETE IT IMMEDIATELY.
NOTE: You can not get the virus simply by receiving the message. The only
way to get the
virus on your system is to execute the HAPPY99.EXE. If you do execute it
you will see a
window of fireworks.
This virus will not cause data loss to you but it will attach itself to any
messages you send. You
will be sending a duplicate email containing HAPPY99.EXE without even
knowing it.
HAPPY99.EXE started making its way around the Internet about Jan. 20,
sending hundreds of
copies of itself via e-mail attachments and newsgroup postings. According
to Helsinki, Finland,
data security firm Data Fellows Inc., the worm does not attempt to destroy
files on infected
machines, but it sends e-mails and newsgroup postings without the victim’s
knowledge and
could cause network slowdowns or even crash corporate e-mail servers. The
worm, so
designated because it can replicate on its own, arrives as an e-mail or
newsgroup attachment and
infects only users who run the attachment. Once they do, all victims see is
a window with a
fireworks display. But behind the scenes, the worm alters the host
computer’s winsock32.dll
file, the computer’s doorway to the Internet. Then, each time a user
intiates e-mail or newsgroup
activity, by either receiving or sending e-mail or posting to a newsgroup,
Happy99 spams the
newsgroup or e-mail recipient with copies of itself. Any type of activity
on port 25 or 119 will
trigger spam activity, according to Takata, senior software support
engineer of Data Fellows.
It also keeps a list of the spammed e-mail addresses and newsgroups in a
separate file called
LISTE.SKA. Because the original version of wsock32.dll is preserved in
backup form as
WSOCK32.SKA, newsgroup posters say they’ve been able to restore their
machines without
much difficulty. Data Fellows has a patch that recognizes the worm.
It poses no risk to data, but can be more than a nuisance to network
administrators. “If you have
100 PCs and everyone is checking e-mail at 9 a.m. and this thing starts
flying around, absolutely
it can slow down a network,” Takata said. “It can crash your e-mail server.
I wouldn’t be
surprised if it did.” Because the e-mail header contains “MOUT-MOUT Hybrid
(c) Spanska
1999.” Takata speculated that the Happy99 author also wrote a series of
viruses known as the
spanska viruses. Those were first reported in September 1997 and randomly
displayed political
messages, such as, “Remember those who died for Madrid.”
This virus is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe.
You cannot get infected with this virus just by reading a newsgroup or
e-mail message. You have
to execute the attachment. Almost always, the person who sent it does not
know that they are
sending it out. It does not show up in their Outbox. If you didn't execute
the attachment, you can
just delete it and move on. You should never open an EXE, COM, SHS, BAT,
VBS file or MS
Office document unless you know the source and its purpose and even then,
check it with an
up-to-date antivirus program.
It will create two files in the Windows System folder, SKA.EXE and SKA.DLL.
SKA.EXE will
be a copy of HAPPY99.EXE. It will copy the original WSOCK32.DLL to WSOCK32.SKA.
Then it will modify WSOCK32.DLL without changing its size so it will try to
run SKA.DLL
while posting to Usenet and sending E-Mail. The SKA.DLL file will silently
attach
HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail messages with
a barely
noticable delay. This second copy will have the same subject and recipient,
but it will have an
empty body. The outgoing message will contain the header X-Spanska: Yes,
but this is normally
not visible.
It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a
regular part of
Windows that provides a connnection to the Internet. If it is unable to
modify WSOCK32.DLL,
then it will add SKA.EXE to the RunOnce section of the registry and
WSOCK32.DLL will be
modified next time the computer starts. It will still create WSOCK32.SKA
even if it is unable to
modify WSOCK32.DLL. This virus will keep a list of message recipients in
the file LISTE.SKA
in the Windows System folder. It will try not to send the Happy99.exe file
twice to the same
person. The size of SKA.EXE (and HAPPY99.EXE) is 10,000 bytes. The size of
SKA.DLL is
8,192 bytes.
This virus does not steal passwords, as some sources have reported. It does
not contain any
payload other than the fireworks display. However, it could overload an
e-mail server if a lot of
copies get passed around. Also, since it gets passed along a lot, a
different virus could attach to
HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the modified
WSOCK32.DLL cannot perform any viral action. However using a modified
WSOCK32.DLL
could cause problems while on the Internet. The most common problem that
has been reported is
invalid page faults, but these can have other causes. Restoring the
original WSOCK32.DLL will
correct these problems.
This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV.
However,
someone using one of those could pass it along manually, for example by
forwarding the
message. Under Windows NT it will create SKA.EXE, SKA.DLL, and WSOCK32.SKA
but will
fail to add itself to the registry or modify WSOCK32.DLL. If you have NT,
you don't have to
follow the removal steps; you can simply delete SKA.DLL, WSOCK32.SKA and
SKA.EXE
from inside Windows NT if you would like. This virus is not able to infect
WSOCK32.DLL if it
has the read-only attribute. Setting the read-only attribute after being
infected is useless. I caution
you not to run HAPPY99.EXE even if WSOCK32.DLL is read-only. Since it has
passed through
so many computers, a different virus could attach to HAPPY99.EXE along the
way.
Some people have asked whether it is always called HAPPY99.EXE. This virus
doesn't contain
any code to change the name. However, it would be simple for a person to
change it to anything
they like.
It contains the encrypted text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Spanska is the alias
of a virus writer who has written several other viruses.
There are some automatic cleaners for this virus here or you could do it
manually. Steps marked
optional are not absolutely necessary and are completely safe to skip. If
you're not comfortable
with DOS, get someone knowledgable to help you with this. These steps
should be safe, even
under unexpected circumstances, but I can't make guarantees. Perform these
at your own risk. If
you have Windows NT, you don't have to follow the removal steps.
If your not sure whether you are infected or not, then perform step 10 to
check if you're
clean.
1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode",
then click Yes. It's
important to exit Windows in order to be able to replace the file
WSOCK32.DLL which
Windows normally has in use.
2. At the DOS prompt type these commands exactly and press enter at the end
of each line:
CD \WINDOWS\SYSTEM
If that doesn't work, try:
CD SYSTEM
3. Delete SKA.EXE and SKA.DLL by typing:
DEL SKA.EXE
DEL SKA.DLL
If you get "File not found" you're either not infected or in the wrong
directory. Make sure
you're in your Windows System directory; check to see if you followed step
2 exactly. You can
continue following the instructions even if you get "File not found". It
can't hurt to keep on
following the instructions.
4. Copy WSOCK32.SKA to WSOCK32.DLL by typing:
ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL
The ATTRIB command is just in case WSOCK32.DLL has been made read-only
since the
infection. Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
Explanation:
WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the
modified
DLL with the original. If you get a "Sharing violation" make sure you
followed step 1.
5. Optional Delete WSOCK32.SKA by typing:
DEL WSOCK32.SKA
You can leave WSOCK32.SKA on your system. It is a copy of your original
WSOCK32.DLL Do
not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with
WSOCK32.SKA.
6. Return to Windows by typing:
EXIT
7. Optional Click Start, then Run, then type regedit in the text box, then
click OK. Click
HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then
CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is
there. Press delete and
then click Yes. Close Regedit. Don't change anything else without making a
backup of the
registry first. If you don't find SKA.EXE in the registry, it doesn't mean
you're not infected.
SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify
WSOCK32.DLL
when you run it. Also, you'll only find it in the registry if you haven't
rebooted since you ran
HAPPY99.EXE.
8. Optional Choose Start, Programs, Accessories, Notepad, choose File, then
Open then type
C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the
list, then
delete LISTE.SKA. Make it clear to the people you warn that they won't be
infected unless they
ran happy99.exe, to avoid alarming them unnecessarily. If you haven't sent
out any infected
e-mails, there won't be a LISTE.SKA.
9. Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary
depending on where you saved it. You can delete it simply by dragging it to
the Recycle Bin
from within Windows or whatever method you prefer. You may still have some
messages with
HAPPY99.EXE attached in your mailbox. These cannot do anything unless you
run them. You
can delete them if you want to or just ignore them.
10. Optional If you aren't sure whether you are infected, choose Start,
then Find, then "Files or
Folders". Then type WSOCK32.DLL in the "Named" box. In the "Look in" box
choose drive C:
or whatever drive you have Windows on. In the "Containing Text" box type
"ska.dll" without the
quotes. Then click "Find Now". If you don't find any files, that means that
WSOCK32.DLL isn't
the modified version. If you don't have the modified WSOCK32.DLL, the virus
has no way to
attach to e-mails, even if you have SKA.EXE, SKA.DLL, or WSOCK32.SKA in the
Windows
System folder. If you have SKA.EXE in the RunOnce registry section, and you
haven't deleted
SKA.EXE, then the virus will try to modify WSOCK32.DLL the next time you
restart the
computer. If you would like to check if SKA.EXE is in the registry, then do
step 7. If you don't
have the modified WSOCK32.DLL, and SKA.EXE isn't in the registry, the virus
is completely
inactive and is effectively removed.
Source: http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM
[Perry Home Page]-[Gulf Internet Home Page]
================================================
Phil Davis
home: PDavis@ix.netcom.com Davidsonville, Maryland USA
work: PDavis@OAO.com Greenbelt, Maryland USA
================================================