Re: [MV] Happy99 virus Removal website?

Just fishin' from my (gamma_goat@plazma.net)
Fri, 12 Feb 1999 13:23:04 -0800

At 11:55 AM 2/12/99 -0800, you wrote:
>Will the sender of the website, please resend me the net address of the
>site describing the removal of Happy99 virus. I deleted the message
>before getting the site address down,,
>Mike
>:o)

Happy99.Worm
VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: US, Europe
Keys: Trojan Horse, Worm

Description:

This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New
Year 1999 !!" showing a firework display to disguise its other actions. The
program copies itself as SKA.EXE and extracts a DLL that it carries as
SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered when a
connect or send activity is detected. When such online activity occurs, the
modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
a new article with UUENCODED HAPPY99.EXE inserted into the email or
article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.

Removing the worm manually:

1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA
4.delete the downloaded file, usually named HAPPY99.EXE

and there you have it.
-dd
\\\\\//
\\|// _\\|//_ | | _\\|//_ \\|//
(@ @) (' 0-0 ') (.) (.) (' @-@ ') (o-o)
+-=oOOo-(_)-oOOo=oo0=(_)=0oo=oOO=-(_)-=OOo=oo0=(_)=0oo=oOOo-(_)-oOOo=-+
Plazma Networking Services / Level Seven inc.
Connecting the World....
http://www.plazma.net http://www.L7.net http://www.L7.org /"\
Olympia's "one stop" InterNetworking Provider 1 (360) 357 - 7315 \ /
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ X
ASCII Ribbon campaign against HTML E-Mail >- - - - - - - - - - - - - -> / \

===
To unsubscribe from the mil-veh mailing list, send the single word
UNSUBSCRIBE in the body of a message to <mil-veh-request@skylee.com>.