Virus Update 2

Contents of
this page

Happy99
Description

Removing the
worm manually.

Additional
Information

Manual Check
for the virus

What your
antivirus software
may not do.

Other Useful Free Links:

Free online virus scanning service:
Click the above icon and wait for a few minutes for the program to initialise

Virus Datafile Update
PcCillin
Norton Antivirus
McAfee VirusScan
Dr. Soloman's

VirusScan Hrly update
(for V3 engine)
(for V4 engine)

Update to Scan Engines
PcCillin (ver 2.082)
McAfee VirusScan (ver 3.2.2)

Microsoft security patch for word97

An article from ZDNet on
How to Protect Yourself from Viruses.

  

HAPPY99

Here is an extract of a useful article I found on the internet but it is not 100% complete (see my additional info below):

+++++++++start of article++++++++
Happy99 Worm by Raul K. Elnitiarta, March 2, 1999:

Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: World Wide
Characteristics: Trojan Horse, Worm

Description
This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.

Removing the Worm Manually:

  1. delete WINDOWS\SYSTEM\SKA.EXE
  2. delete WINDOWS\SYSTEM\SKA.DLL
  3. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
  4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
  5. delete the downloaded file, usually named HAPPY99.EXE

Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e. through dial-up or LAN connection). If you are using dial-up connection (i.e. America Online), you need to do the following:

  1. terminate internet connection
  2. delete WINDOWS\SYSTEM\SKA.EXE
  3. delete WINDOWS\SYSTEM\SKA.DLL
  4. in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
  5. in WINDOWS\SYSTEM\ directory,
  6. rename WSOCK32.SKA to WSOCK32.DLL
  7. delete the downloaded file, usually named HAPPY99.EXE

If you are connected to Internet through LAN (i.e. in the office or cable modem), you need to do the following:

  1. From the Start menu, select shutdown-restart in MS DOS mode
  2. type CD \WINDOWS\SYSTEM when DOS prompt (C:\)appears
  3. type RENAME WSOCK32.DLL WSOCK32.BAK
  4. type RENAME WSOCK32.SKA WSOCK32.DLL
  5. type DEL SKA.EXE type DEL SKA.DLL

Safe Computing
This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article from an untrusted source.
++++++++++end of article++++++++

Additional Info not covered in the above article:

A) If you are not sure whether you are infected do this manual check:

  1. Choose "Start", then "Find", then "Files or Folders". Type WSOCK32.DLL in the "Named" box.
  2. Click "Advanced" tab, then type "ska.dll" (without the quotes) in "Containing Text" Box. Leave the "Look in" box as C: (or whatever drive you have Windows installed on).
  3. Click "Find Now". If you don't find any files, that means you are not infected.

B) The virus does not affect other operation systems like Macs, DOS, Windows 3.x, OS/2, Linux or Windows NT although the Happy99.exe file could be passed to them. Under NT it will only create SKA.EXE, SKA.DLL and WSOCK32.SKA files, and does nothing else after that.

C) The virus will not infect WSOCK32.DLL if it has the read-only attribute but note that setting the read-only attribute after being infected is useless. Warning: don't try to run HAPPY99.EXE even if WSOCK32.DLL is read-only as other types of virus may be attached to the Happy99.exe file. Therefore, to protect your computer from re-infection you need just to set Read-Only attribute for the WSOCK32.DLL file.

D) If you see an error on rebooting that says 'Windows cannot find SKA.EXE', then your Registry needs to be cleaned. Print out the following procedures for reference:

Warning: follow these instructions exactly or you risk crashing your Windows setup.

  1. Click Start > Run, type regedit in the text box, then click OK.
  2. Click at the + to the left of HKEY_LOCAL_MACHINE
  3. Click at the + to the left of Software
  4. Click at the + to the left of Microsoft
  5. Click at the + to the left of Windows
  6. Click at the + to the left of CurrentVersion.
  7. Open up folder RunOnce. If you see any reference to SKA.EXE, select it and then press the Delete key (make absolutely certain you select it first before deleting the item).
  8. close Regedit.

Notes: Don't change anything else in the registry. If SKA.EXE is not there it doesn't mean you are not infected. It is only added to the registry if Happy99 is unable to modify the WSOCK32.DLL file.

E) Another file created by Happy99: C:\Windows\System\Liste.ska
This is a text file listing the address of those you sent Happy99 to. Warn those on the list and ask them to visit this site freetoo.cjb.net for instructions on how to cure the 'virus'. If there is no such file then your PC has not sent out any Happy99.

F) Most likely your antivirus software may clean (i.e. delete) only the Happy99.exe and the SKA.exe files but leave the other infected files in your PC. So you need to check using the procedure given in item A above, and delete the files manually.

Some useful links to obtain free virus datafile update and free online scanning service are listed on the left column of this page.

Information on Melissa Virus, Info on ILOVEYOU
Information on Bubbleboy
   
    Lastly, if you find the above useful, please let your friends know about this site: freetoo.cjb.net and sign my guestbook.
   
   
             Back to top           
     
HOME
JOKES
VIRUS INFO
      
          Next Page

If you have any questions, please feel free to email me at webmasterfreetoo.cjb.net

Last update: 12th Nov 99