Happy99 Virus

---------- Forwarded message ----------
Date: Sat, 27 Mar 1999 14:07:52 -0800
From: Dag MacLeod <dagmac@jhu.edu>
To: p34d3611@jhunix.hcf.jhu.edu

Could you pass the following instructions for removal of the
Happy99 virus to the entire list?

Thanks,

Dag

Dag MacLeod
431 Lee St. #15
Oakland, CA 94610
dagmac@jhu.edu

Basically the original file HAPPY99.EXE was coded by a virus author known
as "Spanska", formerly known for Spanska.4250 virus infecting PE type files.
The file was distributed onto newsgroup servers and other places. Users
would run the file and unbeknownst to them, they would send out copies of
the worm to anyone they sent email to. It only works if the user is using

The way it works is this- HAPPY99.EXE is broken down into 2 files - SKA.EXE
and SKA.DLL. When you run HAPPY99.EXE, it displays fireworks - more or less
a distraction as it drops SKA.EXE and SKA.DLL onto the hard drive. It then
makes a backup copy of the WSOCK32.DLL as WSOCK32.SKA. After this, it
also newsgroup posting by NNTP protocol. By hooking these calls, SKA.EXE
can send itself again as HAPPY99.EXE as an attachment to emails and
posting to newsgroups.

Also HAPPY99 (W32/Ska) keeps a log of emails sent to users in a file called
"liste.ska".

Removal is more or less a manual process:

	boot to ms-dos

	rename WSOCK32.DLL to WSOCK32.BAD

	rename WSOCK32.SKA to WSOCK32.DLL

	delete SKA.EXE, SKA.DLL, LISTE.SKA

	restart Windows

A command line program is available to perform these actions for you. It is
called RMSKA.EXE and is located at this URL-

<http://www.avertlabs.com/public/stand_alone>

Copy the executable to the root of C: and the click START»RUN and type
RMSKA.EXE

This will run the remover, after which you will need to reboot your
computer. This utility is designed for Windows 95/98 computers. 

With Regards,
AVERT - A Division Of NAI Labs