>This is not one of those "Virus Alert" hoaxes, but an actual internet worm
>advisory. This is an FYI only.
>
>The text of the article that appeared today at ZDNET.COM:
>
>
>
>
>Happy99.exe worm is in the wild
>
>Worm is spreading quickly into North America, particularly in Silicon
>Valley.
>
>By Bob Sullivan, MSNBC
>
>
> The Happy99.exe worm has spread very quickly around North America,
>particularly Silicon Valley, according to Dan Tanaka of Data Fellows Inc. "I
>now receive 20 or 30 copies of it every day," he told MSNBC.
>The worm was apparently released on Usenet, and since last month there have
>been nearly 4,500 posts about it, many from users trying to find out how to
>disinfect their machines.
>
>
> Happy99.exe started making its way around the Internet about Jan. 20,
>sending hundreds of copies of itself via e-mail attachments and newsgroup
>postings. According to Helsinki, Finland, data security firm Data Fellows
>Inc., the worm does not attempt to destroy files on infected machines, but
>it sends e-mails and newsgroup postings without the victim's knowledge and
>could cause network slowdowns or even crash corporate e-mail servers.
>
>The worm, so designated because it can replicate on its own, arrives as an
>e-mail or newsgroup attachment and infects only users who run the
>attachment.
>
>
> Once they do, all victims see is a window with a fireworks display. But
>behind the scenes, the worm alters the host computer's winsock32.dll file,
>the computer's doorway to the Internet. Then, each time a user intiates
>e-mail or newsgroup activity, by either receiving or sending e-mail or
>posting to a newsgroup, Happy99 spams the newsgroup or e-mail recipient with
>copies of itself. Any type of activity on port 25 or 119 will trigger spam
>activity, according to Takata, senior software support engineer of Data
>Fellows.
>
>It also keeps a list of the spammed e-mail addresses and newsgroups in a
>separate file called LISTE.SKA.
>
>Patch available
>Because the original version of wsock32.dll is preserved in backup form as
>WSOCK32.SKA, newsgroup posters say they've been able to restore their
>machines without much difficulty. Data Fellows has a patch that recognizes
>the worm.
>
>Infected users can click here for full instructions on how to remove the
>worm from their systems.
>
>It poses no risk to data, but can be more than a nuisance to network
>administrators.
>
>"If you have 100 PCs and everyone is checking e-mail at 9 a.m. and this
>thing starts flying around, absolutely it can slow down a network," Takata
>said. "It can crash your e-mail server. I wouldn't be surprised if it did."
>
>Because the e-mail header contains "MOUT-MOUT Hybrid (c) Spanska 1999."
>Takata speculated that the Happy99 author also wrote a series of viruses
>known as the spanska viruses. Those were first reported in September 1997
>and randomly displayed political messages, such as, "Remember those who died
>for Madrid."
>
>
>
>Scott Brainard
>Program Evaluator
>SCANS/2000 Center
>Johns Hopkins University
>Institute for Policy Studies
>Wyman Park Bldg., 5th Floor
>3400 N. Charles St.
>Baltimore, MD 21218
>
>(410) 516-8740 ph
>(410) 516-4775 fax
>
>scottab at jhuvms.hcf.jhu.edu
>http://infinia.wpmc.jhu.edu
>
>
>