Hi, the old Captain here with a story of infection. Opening my mail from adult sites spanning the globe, I came across one with an attachment called happy99.exe in it. Being the trusting and absurdly dumb guy that I am, especially when it comes to adult sites, I ran it. Well, it turns out it's a virus/worm/Trojan Horse. I managed to dodge the effects of it though, because I was still connected when I ran it, and it couldn't infect its target, wsock32.dll. It was waiting for me to reboot and wonder of wonders, I was up for three days straight without a lockup. If you're not running a Windows machine, you may not realize just how miraculous that is.

Anyway, Diana asked me to write up the episode as a warning and also as a means to find out what to do if you find yourself infected. So, here's a run down of how you get it. Please keep in mind that you're only at risk of infection if your operating system is Windows 95 or 98. That's because the thing doesn't meddle directly with your email software.

1. You get an email which indicates with a little thingy (Outlook Express uses a paperclip) that there's something attached to it.

2. You look at what's attached and it's named "happy99.exe"

3..You double click on it and see a window pop up with a fireworks display. You've just been infected

Here's what the thing will do to you if you don't get rid of it: EVERY EMAIL OR NEWSGROUP POSTING YOU MAKE WILL GENERATE A SECOND EMAIL OR POSTING CONTAINING THE "HAPPY99.EXE" FILE WHICH WILL PIGGY BACK TO YOUR RECIPIENT.

At least, that's what the gurus say it will do. As I said above, the thing couldn't complete its nefarious intentions because I had its target file, wsock32.dll (that's the hidden Windows contraption that handles internet connections and email sends), tied up due to the fact I was connected to the net when I ran the thing. Therefore, none of the mail I sent was carrying the virus.

In theory, as soon as I did a shut down/start up or a reboot, I would have been infected and started sending out infected email. It achieves this by making an entry in your Windows registry that will run a file called ska.exe the next time you start Windows. If you don't understand any of this, don't worry. If you follow the instructions and delete the file named "ska.exe", you don't really have to deal with the registry entry, because there won't be anything to run. But if you're interested, you will find a registry key entry that the virus makes below. Oddly enough, in my case, the thing did NOT mess with the registry. Don't ask.

OK, enough about how you get it and what it does--here's a short list of things to do to get rid of it

1. Track down and kill ska.exe and ska.dll as a first step.

2. Get out of Windows by shutting down and restarting in DOS mode. Then replace wsock32.dll with wsock32.ska. The ska is the original, uninfected version of wsock32.dll

If you don't know how to do that stuff, there are detailed instructions below.

I lifted the following from various sites:

To check and see if you HAVE the happy99 worm program on your computer, do the following simple test.

 

The following was found at: http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM

I followed the instructions to get rid of the thing:

 

Information

This virus is attached to newsgroup and e-mail messages as an attachment called Happy99.exe. You cannot get infected with this virus just by reading a newsgroup or e-mail message. You have to execute the attachment. Almost always, the person who sent it does not know that they are sending it out. It does not show up in their Outbox. If you didn't execute the attachment, you can just delete it and move on. You should never open an EXE, COM, SHS, BAT, VBS file or MS Office document unless you know the source and its purpose and even then, check it with an up-to-date antivirus program. If you execute an infected attachment, it will display a firework display which looks like this:

It will create two files in the Windows System folder, SKA.EXE and SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will copy the original WSOCK32.DLL to WSOCK32.SKA. Then it will modify WSOCK32.DLL without changing its size so it will try to run SKA.DLL while posting to Usenet and sending E-Mail. The SKA.DLL file will silently attach HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail messages with a barely noticable delay. This second copy will have the same subject and recipient, but it will have an empty body. The outgoing message will contain the header 

X-Spanska: Yes

but this is normally not visible.

It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular part of Windows that provides a connnection to the Internet. If it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL will be modified next time the computer starts. It will still create WSOCK32.SKA even if it is unable to modify WSOCK32.DLL. This virus will keep a list of message recipients in the file LISTE.SKA in the Windows System folder. It will try not to send the Happy99.exe file twice to the same person. The size of SKA.EXE (and HAPPY99.EXE) is 10,000 bytes. The size of SKA.DLL is 8,192 bytes.

This virus does not steal passwords, as some sources have reported. It does not contain any payload other than the fireworks display. However, it could overload an e-mail server if a lot of copies get passed around. Also, since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the modified WSOCK32.DLL cannot perform any viral action. However using a modified WSOCK32.DLL could cause problems while on the Internet. The most common problem that has been reported is invalid page faults, but these can have other causes. Restoring the original WSOCK32.DLL will correct these problems.

This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV. However, someone using one of those could pass it along manually, for example by forwarding the message. Under Windows NT it will create SKA.EXE, SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or modify WSOCK32.DLL. If you have NT, you don't have to follow the removal steps; you can simply delete SKA.DLL, WSOCK32.SKA and SKA.EXE from inside Windows NT if you would like. This virus is not able to infect WSOCK32.DLL if it has the read-only attribute. Setting the read-only attribute after being infected is useless. I caution you not to run HAPPY99.EXE even if WSOCK32.DLL is read-only. Since it has passed through so many computers, a different virus could attach to HAPPY99.EXE along the way.

Some people have asked whether it is always called HAPPY99.EXE. This virus doesn't contain any code to change the name. However, it would be simple for a person to change it to anything they like.

It contains the encrypted text: 

"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."

Spanska is the alias of a virus writer who has written several other viruses.

 

Removal

Steps marked optional are not absolutely necessary and are completely safe to skip. If you're not comfortable with DOS, get someone knowledgable to help you with this. These steps should be safe, even under unexpected circumstances, but I can't make guarantees. Perform these at your own risk. If you have Windows NT, you don't have to follow the removal steps.

If your not sure whether you are infected or not, then perform step 10 to check if you're clean.

  1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. It's important to exit Windows in order to be able to replace the file WSOCK32.DLL which Windows normally has in use.
  2. At the DOS prompt type these commands exactly and press enter at the end of each line: 
    3. CD \WINDOWS\SYSTEM

    If that doesn't work, try 

    CD SYSTEM
  3. Delete SKA.EXE and SKA.DLL by typing 
    4. DEL SKA.EXE
DEL SKA.DLL

    If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 3 exactly. You can continue following the instructions even if you get "File not found". It can't hurt to keep on following the instructions.

  4. Copy WSOCK32.SKA to WSOCK32.DLL by typing 
    5. ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL

    The ATTRIB command is just in case WSOCK32.DLL has been made read-only since the infection. Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL. Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the modified DLL with the original. If you get a "Sharing violation" make sure you followed step 1.

  5. Optional Delete WSOCK32.SKA by typing 
    6. DEL WSOCK32.SKA

    You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with WSOCK32.SKA.

  6. Return to Windows by typing 
    7. EXIT
  7. Optional Click Start, then Run, then type regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Regedit. Don't change anything else without making a backup of the registry first. If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also, you'll only find it in the registry if you haven't rebooted since you ran HAPPY99.EXE.
  8. Optional Choose Start, Programs, Accessories, Notepad, choose File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the list, then delete LISTE.SKA. Make it clear to the people you warn that they won't be infected unless they ran happy99.exe, to avoid alarming them unnecessarily. If you haven't sent out any infected e-mails, there won't be a LISTE.SKA.
  9. Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary depending on where you saved it. You can delete it simply by dragging it to the Recycle Bin from within Windows or whatever method you prefer. You may still have some messages with HAPPY99.EXE attached in your mailbox. These cannot do anything unless you run them. You can delete them if you want to or just ignore them.
  10. Optional If you aren't sure whether you are infected, choose Start, then Find, then "Files or Folders". Then type WSOCK32.DLL in the "Named" box. In the "Look in" box choose drive C: or whatever drive you have Windows on. In the "Containing Text" box type "ska.dll" without the quotes. Then click "Find Now". If you don't find any files, that means that WSOCK32.DLL isn't the modified version. If you don't have the modified WSOCK32.DLL, the virus has no way to attach to e-mails, even if you have SKA.EXE, SKA.DLL, or WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the RunOnce registry section, and you haven't deleted SKA.EXE, then the virus will try to modify WSOCK32.DLL the next time you restart the computer. If you would like to check if SKA.EXE is in the registry, then do step 7. If you don't have the modified WSOCK32.DLL, and SKA.EXE isn't in the registry, the virus is completely inactive and is effectively removed.

Other web pages:

http://www.c-a-c-s.com/happy99.htm

http://www.symantec.com/avcenter/download.html

http://www.bedford.net/happy99.htm

http://www.us.sophos.com/virusinfo/analyses/w32skahappy99.html

http://www.quickheal.com/happy99.htm note: includes a special utility called PROTECT designed to remove the happy99 worm/virus. Download protect.zip. Quick Heal is supposedly India’s leading anti-virus software.

http://www.pspl.com/trojan_info/win32/happy99.htm

http://www.hackz.com/alerts/02159.html

http://www.msnbc.com/news/240551.asp

http://members.tripod.com/docsmiley/happy99.htm