Win95 / Win98 here's the info from Symantec Antivirus
Akintayo Holder wrote:
Happy99.Worm
VirusName:
Happy99.Worm
Aliases:
Trojan.Happy99, I-Worm.Happy
Likelihood:
Common
Region Reported:
US, Europe
Keys:
Trojan Horse, Worm
Description:
This is a worm program, NOT a virus. This program has
reportedly been received through email
spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the
email or article attachment.
When being executed, the program also opens a window
entitled "Happy New Year 1999 !!"
showing a firework display to disguise its other actions.
The program copies itself as SKA.EXE and
extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the
original WSOCK32.DLL into
WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95
and 98. The modification to
WSOCK32.DLL allows the worm routine to be triggered when
a connect or send activity is
detected. When such online activity occurs, the modified
code loads the worm's SKA.DLL. This
SKA.DLL creates a new email or a new article with
UUENCODED HAPPY99.EXE inserted into
the email or article. It then sends this email or posts
this article.
If WSOCK32.DLL is in use when the worm tries to modify it
(i.e. a user is online), the worm adds
a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows
start.
Removing the worm manually:
1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.replace WINDOWS\SYSTEM\WSOCK32.DLL with
WINDOWS\SYSTEM\WSOCK32.SKA
4.delete the downloaded file, usually named HAPPY99.EXE
Safe Computing:
This worm and other trojan-horse type programs
demonstrate the need to practice safe computing.
One should not execute any executable-file attachment
(i.e. EXE, SHS, MS Word or MS Excel
file) that comes from an email or a newsgroup article
from an unknown or a untrusted source.
Norton AntiVirus users can protect themselves from this
worm by downloading the virus
definitions updates released on Jan 28, 1999 or later
either through LiveUpdate or from the
following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Raul K. Elnitiarta
January 28, 1999
> > Mitchell Maltenfort wrote:
> >
> >
> > "Happy99.exe" just got mailed to me as an attechment.
> >
> > It's a known trojan. Not jagar's fault, this sucker apparently
> > arranges to remail itself.
> >
> > Don't run it, and check Symantec's antivirus page for getting rid of
> > it if you did.
> >
> >
> What platform ?
--
"Though we are not now that strength which in old days moved earth and
heaven, that which we are, we are; one equal temper of heroic hearts made
weak by time and fate but strong in will to strive, to seek, to find and
not to yield"
Tennyson's "Ulysses"
