< < < Date > > > | < < < Thread > > >

Happy99 Virus

by Peter Grimes

08 April 1999 05:48 UTC



Could you pass the following instructions for removal of the
Happy99 virus to the entire list.


Basically the original file HAPPY99.EXE was coded by a virus author known
as "Spanska", formerly known for Spanska.4250 virus infecting PE type
files.  The file was distributed onto newsgroup servers and other places.
Users would run the file and unbeknownst to them, they would send out
copies of the worm to anyone they sent email to. It only works if the user

The way it works is this- HAPPY99.EXE is broken down into 2 files - SKA.EXE
and SKA.DLL. When you run HAPPY99.EXE, it displays fireworks - more or less
a distraction as it drops SKA.EXE and SKA.DLL onto the hard drive. It then
makes a backup copy of the WSOCK32.DLL as WSOCK32.SKA. After this, it
also newsgroup posting by NNTP protocol. By hooking these calls, SKA.EXE
can send itself again as HAPPY99.EXE as an attachment to emails and
posting to newsgroups.

Also HAPPY99 (W32/Ska) keeps a log of emails sent to users in a file called
"liste.ska".

Removal is more or less a manual process:

	boot to ms-dos

	rename WSOCK32.DLL to WSOCK32.BAD

	rename WSOCK32.SKA to WSOCK32.DLL

	delete SKA.EXE, SKA.DLL, LISTE.SKA

	restart Windows

A command line program is available to perform these actions for you. It is
called RMSKA.EXE and is located at this URL-

<http://www.avertlabs.com/public/stand_alone>

Copy the executable to the root of C: and the click START»RUN and type
RMSKA.EXE

This will run the remover, after which you will need to reboot your
computer. This utility is designed for Windows 95/98 computers. 

With Regards,
AVERT - A Division Of NAI Labs



< < < Date > > > | < < < Thread > > > | Home