This virus or worm as it is better
described is attached to newsgroup and e-mail messages as an attachment
called Happy99.exe. You cannot get infected with this virus just by
reading a newsgroup or e-mail message. You have to execute the
attachment by opening it. Generally, the person who sent it does not
know that they are sending it out. If you didn't execute the
attachment, you can just delete it and move on. If you execute an
infected attachment, it will display a firework display, once its been
activated every email you send will have the file attached. When
someone else opens it, the virus spreads and the destruction continues. |
|
Here's
how Happy99.exe infects your system:
It will create two
files in the Windows System folder, SKA.EXE
and SKA.DLL. SKA.EXE will be a copy of
HAPPY99.EXE. It will copy the original WSOCK32.DLL to WSOCK32.SKA. Then
it will modify WSOCK32.DLL without changing its size so it will try to
run SKA.DLL while posting to Usenet and sending E-Mail. The SKA.DLL
file will silently attach HAPPY99.EXE to a second copy of outgoing
newsgroup and e-mail messages with a barely noticable delay.
It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a
regular part of Windows that provides a connnection to the Internet. If
it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the
RunOnce section of the registry and WSOCK32.DLL will be modified next
time the computer starts. It will still create WSOCK32.SKA even if it
is unable to modify WSOCK32.DLL. This virus will keep a list of message
recipients in the file LISTE.SKA in the Windows System folder. It will
try not to send the Happy99.exe file twice to the same person.
Since it gets passed along a lot, a different virus could attach to
HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the
modified WSOCK32.DLL cannot perform any viral action. However using a
modified WSOCK32.DLL could cause problems while on the Internet. The
most common problem that has been reported is invalid page faults, but
these can have other causes. Restoring the original WSOCK32.DLL will
correct these problems.
This virus does not
affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV. However, someone
using one of those could pass it along manually, for example by
forwarding the message. Under Windows NT it will create SKA.EXE,
SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or
modify WSOCK32.DLL. If you have NT, you don't have to follow the
removal steps; you can simply delete SKA.DLL and SKA.EXE from inside
Windows NT if you would like.
Some people have
asked whether it is always called HAPPY99.EXE. This virus doesn't
contain any code to change the name. However, it would be simple for a
person to change it to anything they like.
It contains the encrypted text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
Automatic
Removal of Happy99.exe
Download
the following file, unzip it and run it in Windows95 or Windows 98 by
double-clicking on it. This small program will perform the steps seen
in the manual removal method with no user intervention. Once the
program is run, your system will want to reboot. This must happen to
completely remove the happy99.exe worm.
Craig
Schmugar's Happy99Cleaner
program (click to download)
Another
Happy99.exe Remover
(click to download)
Manual
Removal of Happy99.exe
Steps marked optional are not absolutely necessary and are completely
safe to skip. If you're not comfortable with DOS, get someone
knowledgable to help you with this. I cannot make guarantees of perfect
safety since its a manual removal, Perform these at your own risk. If
you have Windows NT, you don't have to follow the removal steps.
1. Click Start, then Shut Down, then "Restart
Computer in MS-DOS mode", then click Yes. It's important to exit
Windows in order to be able to replace the file WSOCK32.DLL which
Windows normally has in use.
2.At
the DOS prompt type this exactly and press enter at the end of each
line:
CD \WINDOWS\SYSTEM
3. Delete SKA.EXE and SKA.DLL by typing
DEL SKA.EXE
DEL SKA.DLL
If you get "File not found" you're either not infected or in the wrong
directory. Make sure you're in your Windows System directory; check to
see if you followed step 2 exactly.
4.Copy
WSOCK32.SKA to WSOCK32.DLL by typing
ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
WSOCK32.SKA
is a backup of the original WSOCK32.DLL. You are replacing the modified
DLL with the original. If you get a "Sharing violation" make sure you
followed step 1.
5.Optional
Delete WSOCK32.SKA by typing
DEL WSOCK32.SKA
You can leave WSOCK32.SKA on your system. It is a copy of your original
WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace
WSOCK32.DLL with WSOCK32.SKA.
6.Return
to Windows by typing
EXIT
7.Optional Delete Windows Registry Key.
Click Start, then Run, then type regedit in the text box, then click
OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then
Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and
select it if it is there. Press delete and then click Yes. Close
Regedit. Don't change anything else without making a backup of the
registry first. If you don't find SKA.EXE in the registry, it doesn't
mean you're not infected. SKA.EXE is only added to the registry if
HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also,
you'll only find it in the registry if you haven't rebooted since you
ran HAPPY99.EXE.
8.Optional
Choose Start, Programs, Accessories, Notepad, choose File, then Open
then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the
people on the list, then delete LISTE.SKA. Make it clear to the people
you warn that they won't be infected unless they ran happy99.exe, to
avoid alarming them unnecessarily. If you haven't sent out any infected
e-mails, there won't be a LISTE.SKA.
9.
Optional Delete the HAPPY99.EXE file. The location of
HAPPY99.EXE will vary depending on where you saved it. You can delete
it simply by dragging it to the Recycle Bin from within Windows or
whatever method you prefer. You may still have some messages with
HAPPY99.EXE attached in your mailbox. These cannot do anything unless
you run them. You can delete them if you want to or just ignore them.
10.Optional If you aren't sure whether WSOCK32.DLL is infected, choose
Start, then Find, then "Files or Folders". Then type WSOCK32.DLL in the
"Named" box. In the "Look in" box choose drive C: or whatever drive you
have Windows on. In the "Containing Text" box type "ska.dll" without
the quotes. Then click "Find Now". If you don't find any files, that
means that wsock32.dll isn't the modified version. If you don't have
the modified WSOCK32.DLL, the virus has no way to attach to e-mails,
even if you have SKA.EXE, SKA.DLL, and WSOCK32.SKA in the Windows
System folder. If you have SKA.EXE in the RunOnce registry section, and
you haven't deleted SKA.EXE, then the virus will try to modify
WSOCK32.DLL the next time you restart the computer.
Make
sure you type the instructions exactly including spaces and
punctuation. You might want to print out the removal instructions so
you have something to refer to. If you're having trouble with the DOS
commands, get a local person to help you with them. It's hard to know
exactly how you're typing the DOS commands and what your exact
situation is without seeing it in person.
|
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Spyware/Adware Removal Help
MSBlast.exe Worm Removal
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall McAfee Instructions
Uninstall Norton Instructions
Uninstall Avast Instructions
Uninstall AVG Instructions
Uninstall Antivir Instructions
Uninstall Panda Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
MyDoom Virus Removal
MiMail.C Virus Removal
Swen Worm Virus Removal
SoBig.F Worm Removal
Dumaru Virus Removal
BugBear.B Worm Removal
SoBig.E Worm Removal
Pop Up Ad Removal Info
KAK Worm Removal
MiMail.A Worm Removal
W95.MTX Virus Removal
Snow White Virus Removal
BadTrans Trojan Removal
Wininit Virus (Bymer Trojan)
Happy99 Worm Removal
VBS Netlog Worm Removal
Pretty Park Worm Removal
Sasser Worm Virus Removal
Backdoor SDBot.H Trojan Removal
VBS.Loveletter Help
Computer Security Information
Back Orifice Information
PC HELL Main Page
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games including Casino 3D, Card, Board, and Solitaire games.
|