Happy99 worm

Doug Henwood dhenwood at panix.com
Sat Feb 20 14:44:31 PST 1999

from the Symantec website, thanks to Lou Proyect:

>Description: This is a worm program, NOT a virus. This program has
>reportedly been received through email spamming and USENET newsgroup
>posting. The file is usually named HAPPY99.EXE in the email or article
>When being executed, the program also opens a window entitled "Happy New
>Year 1999 !!" showing a firework display to disguise its other actions. The
>program copies itself as SKA.EXE and extracts a DLL that it carries as
>SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in
>WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.
>WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
>modification to WSOCK32.DLL allows the worm routine to be triggered when a
>connect or send activity is detected. When such online activity occurs, the
>modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or
>a new article with UUENCODED HAPPY99.EXE inserted into the email or
>article. It then sends this email or posts this article.
>If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
>online), the worm adds a registry entry:
>The registry entry loads the worm the next time Windows start.
>Removing the worm manually:
>4.delete the downloaded file, usually named HAPPY99.EXE
>Safe Computing:
>This worm and other trojan-horse type programs demonstrate the need to
>practice safe computing. One should not execute any executable-file
>attachment (i.e. EXE, SHS, MS Word or MS Excel file) that comes from an
>email or a newsgroup article from an unknown or a untrusted source.
>Norton AntiVirus users can protect themselves from this worm by downloading
>the virus definitions updates released on Jan 28, 1999 or later either
>through LiveUpdate or from the following webpage:
>Write-up by: Raul K. Elnitiarta January 28, 1999

More information about the lbo-talk mailing list