|
The Happy99.Worm
(Aliases: Trojan.Happy99, I-Worm.Happy)
Likelihood: | Common |
Areas Reported: | World-wide |
Characteristics: | A Worm; think:
Trojan virus |
Good News: |
Usually NOT harmful
as long as you do NOT panic!
|
Description:
Although, technically, this infection is called a worm
program, most people will probably refer to it as a virus. Since it does
make a change to one of your files, calling it a virus is a reasonable
alternative in my opinion. This program became widespread through mass
emails (spamming) and USENET newsgroup postings, and is now being passed
along by individual emails from infected computers.
The worm
enters your computer as a file attachment in an email or article sent
to you. Most likely this attachment will be called HAPPY99.EXE.
When executed, the program opens a window entitled
"Happy New Year 1999 !!" showing a fireworks display to
mask its real purpose. If you did execute this worm program, you would have
seen a window similar to this:
The program copies itself as SKA.EXE and extracts a DLL file from
the original EXE, called SKA.DLL, into your WINDOWS\SYSTEM
directory. It also modifies WSOCK32.DLL in the WINDOWS\SYSTEM
directory, but does make a copy of the
original WSOCK32.DLL file as WSOCK32.SKA
in the same directory.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
worm's modification of WSOCK32.DLL allows it to be triggered whenever a
connect or send activity is detected. When this online activity occurs, the
modified code loads and executes the worm's SKA.DLL file. This file creates
a new email message or news article with the original UUENCODED
HAPPY99.EXE attached to it. It then sends this email msg. or posts the
infected article to whomever you sent email or the newsgroup you posted an
article to!
The worm keeps a list of email addresses that
it has sent HAPPY99.EXE to. This can be found in a file called
"LISTE.SKA" which you can read with any text editing program such
as NOTEPAD.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e., you are
already online), the worm adds an entry to your Registry file:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
This Registry entry causes the worm to be executed the next time you start
Windows.
If you have been infected, the
good news is that this virus is generally not harmful in any way to
your programs or data so don't panic! Simply stop sending people
email (receiving it is OK) until you have removed the virus.
If you don't know how to carry out the
procedures below, you can download an excellent little program that will
remove the worm and list the email addresses of people you may wish to
inform about it from this site ( here) right now:
H99Clean.zip (ZIP file is
only 10,077 bytes; 05 MAY 1999.)
( This version is only 21kb in size because it does
not include the VB5 runtime module. I have used it myself; it works fine.
Written in Visual Basic 5 by Craig Schmugar at Northwestern University, IL,
USA. If you don't have the VB5 support file, or simply wish to check out
another page about Happy99, you can do so by following this link:
http://www.pchell.com/internet/happy99.shtml.)
Even if you use Craig's program, you should still read the last
paragraph of this page about Practicing SAFE Computing.
How To Remove the Happy99 Worm:
( Without any anti-virus software )
First, make sure that you READ the NOTES section after this procedure
BEFORE attempting to execute any of these steps!
- DELETE: WINDOWS\SYSTEM\SKA.EXE
- Determining the CREATION DATE of the file WINDOWS\SYSTEM\SKA.DLL,
will tell you how long your computer has been infected with this
worm! (You should RIGHT click on the filename and select the item
"Properties" from the menu.) After noting its creation
date, DELETE: WINDOWS\SYSTEM\SKA.DLL
- In your WINDOWS\SYSTEM\ directory, RENAME: WSOCK32.DLL to
WSOCK32.99
- In the same directory, RENAME: WSOCK32.SKA to WSOCK32.DLL
- Finally, DELETE: the Happy99 WORM file itself, which is
usually named HAPPY99.EXE. You may need to use the Windows START
menu's Find > Files to help you locate this
program.
- Try to recall which email message contained the Happy99 worm, and
note the name of the sending party when you find it.
Delete the message.
- Inform the party whose computer sent you the worm(!) that they are
infected! You should also make some effort to warn anyone that you
sent email to since then, that they may have become infected as
well.
NOTES:
Windows will prevent you from carrying out steps
#3 and #4 above if your computer is still "online," because the
file "windows\system\wsock32.dll" is used whenever your machine
is connected to Internet (through either a dial-up or LAN connection).
IF you are using dial-up connection, i.e., an ISP ( Internet Service
Provider, such as America Online, Prodigy, MSN or some local ISP in
your area), you need to do the following:
- Terminate your Internet connection, then:
- Return to the procedure listed above.
Note: In some rare cases, after you terminate the Net connection, your
computer may still not allow you to rename the WSOCK32.DLL file. If
this happens, follow the procedure for a LAN connection below.
IF you are connected to Internet through a LAN (i.e., in an office or
through a cable modem), you need to do the following:
- From the START menu, select "Shutdown" AND THEN click on
"Restart the computer in MS-DOS mode" BEFORE clicking on the
"YES" button.
- WHEN the DOS prompt ( C:\> ) appears, type:
cd \windows\system THEN press the <ENTER> key.
- You should then be at your WINDOWS\SYSTEM> prompt.
- Type: rename WSOCK32.DLL WSOCK32.99 <ENTER>
- Type: rename WSOCK32.SKA WSOCK32.DLL <ENTER>
- Type: del SKA.EXE <ENTER>
- Type: del SKA.DLL <ENTER>
- Restart your computer, then carry out steps #5 and following
of the main procedure above.
Practice SAFE Computing:
This worm and other trojan-horse type programs demonstrate the
need to practice "safe computing." You shouldn't run any
executable file attachment: .COM, .BAT, .EXE, .SHS, .DOC (MS-Word), or .XL*
(MS-Excel), nor use any script files for controlling another program that
come in an email or a newsgroup article from an untrusted source.
(Note: Your source should be
knowledgeable enough to reasonably assure you that the file is NOT infected.)
For further study on how to avoid most infections, see my webpage:
How to Keep Viruses and Trojans out of your Computer.
Edited by: The Starman,
April 28, 1999. |