>This is not one of those "Virus Alert" hoaxes, but an actual internet worm >advisory. This is an FYI only. > >The text of the article that appeared today at ZDNET.COM: > > > > >Happy99.exe worm is in the wild > >Worm is spreading quickly into North America, particularly in Silicon >Valley. > >By Bob Sullivan, MSNBC > > > The Happy99.exe worm has spread very quickly around North America, >particularly Silicon Valley, according to Dan Tanaka of Data Fellows Inc. "I >now receive 20 or 30 copies of it every day," he told MSNBC. >The worm was apparently released on Usenet, and since last month there have >been nearly 4,500 posts about it, many from users trying to find out how to >disinfect their machines. > > > Happy99.exe started making its way around the Internet about Jan. 20, >sending hundreds of copies of itself via e-mail attachments and newsgroup >postings. According to Helsinki, Finland, data security firm Data Fellows >Inc., the worm does not attempt to destroy files on infected machines, but >it sends e-mails and newsgroup postings without the victim's knowledge and >could cause network slowdowns or even crash corporate e-mail servers. > >The worm, so designated because it can replicate on its own, arrives as an >e-mail or newsgroup attachment and infects only users who run the >attachment. > > > Once they do, all victims see is a window with a fireworks display. But >behind the scenes, the worm alters the host computer's winsock32.dll file, >the computer's doorway to the Internet. Then, each time a user intiates >e-mail or newsgroup activity, by either receiving or sending e-mail or >posting to a newsgroup, Happy99 spams the newsgroup or e-mail recipient with >copies of itself. Any type of activity on port 25 or 119 will trigger spam >activity, according to Takata, senior software support engineer of Data >Fellows. > >It also keeps a list of the spammed e-mail addresses and newsgroups in a >separate file called LISTE.SKA. > >Patch available >Because the original version of wsock32.dll is preserved in backup form as >WSOCK32.SKA, newsgroup posters say they've been able to restore their >machines without much difficulty. Data Fellows has a patch that recognizes >the worm. > >Infected users can click here for full instructions on how to remove the >worm from their systems. > >It poses no risk to data, but can be more than a nuisance to network >administrators. > >"If you have 100 PCs and everyone is checking e-mail at 9 a.m. and this >thing starts flying around, absolutely it can slow down a network," Takata >said. "It can crash your e-mail server. I wouldn't be surprised if it did." > >Because the e-mail header contains "MOUT-MOUT Hybrid (c) Spanska 1999." >Takata speculated that the Happy99 author also wrote a series of viruses >known as the spanska viruses. Those were first reported in September 1997 >and randomly displayed political messages, such as, "Remember those who died >for Madrid." > > > >Scott Brainard >Program Evaluator >SCANS/2000 Center >Johns Hopkins University >Institute for Policy Studies >Wyman Park Bldg., 5th Floor >3400 N. Charles St. >Baltimore, MD 21218 > >(410) 516-8740 ph >(410) 516-4775 fax > >[EMAIL PROTECTED] >http://infinia.wpmc.jhu.edu > > >