Received: from lists.village.virginia.edu (lists.village.Virginia.EDU [184.108.40.206])
by pop.cybernex.net (Mail-clerk/Homer) with ESMTP id JAA32123
user; Fri, 19 Feb 1999 09:03:47 -0500
Received-Date: Fri, 19 Feb 1999 09:03:47 -0500
Received: (from domo@localhost) by lists.village.virginia.edu (8.8.5/8.6.6) id IAA17284 for puptcrit-outgoing; Fri, 19 Feb 1999 08:55:08 -0500
X-Authentication-Warning: lists.village.virginia.edu: domo set sender to owner-puptcrit@localhost using -f
Received: (from spoons@localhost) by lists.village.virginia.edu (8.8.5/8.6.6) id IAA61054 for puptcrit@localhost; Fri, 19 Feb 1999 08:55:04 -0500
Received: from falcon.inetnebr.com (root [220.127.116.11]) by lists.village.virginia.edu (8.8.5/8.6.6) with ESMTP id VAA76363 for <puptcrit.edu>; Thu, 18 Feb 1999 21:58:43 -0500
Received: from blshayes (lin-pm4-010.inetnebr.com [18.104.22.168])
by falcon.inetnebr.com (8.8.8/8.8.8) with SMTP id UAA24545
for <puptcrit.edu>; Thu, 18 Feb 1999 20:58:39 -0600 (CST)
From: "Hayes Family" <BLSHAYES>
Subject: PUPT: Re: Happy99 Internet Worm
Date: Thu, 18 Feb 1999 20:53:29 -0600
X-Mailer: Microsoft Outlook Express 4.72.3115.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
I read the Happy99 postings with interest. Although I am 1/3 of the Hayes
puppeters, I also work as a local area network administrator for the
I do a fair amount of anti-virus work. The following comes from a note I
my colleagues this morning which may be of interest to you.
An Internet worm called Happy99 (a.k.a W32/SKA or SKA) is now riding
the Internet as an unauthorized e-mail or usenet newsgroup attachment. Over
years, I've taken great pains to tell folks that reading an e-mail message
cause your PC harm. It still won't. However, we've always said that
e-mail attachment is risky business. Users should ALWAYS avoid running any
attachment, no matter how much they may trust their e-mail buddies.
Happy99.exe is considered an Internet worm, because it travels between
machines via e-mail attachments and newsgroup postings. It arrives to a
via a uuencoded e-mail or newsgroup attachment, Happy99 infects a Windows 9x
box after its user extracts the happy99.exe program and then runs it. In
addition to infecting the user's machine, it also causes a great deal of
work for network administrators who may have to clean up infected e-mail
While running, the Happy99 attachment shows a firesworks display. Once
Happy99 attachment is run, the worm modifies the winsock32.dll file so it
monitor outgoing e-mail traffic. As each e-mail or newsgroup posting is
the worm attaches a uuencoded copy of happy99.exe to the outgoing message.
Here's a detailed breakdown of what Happy99 does to the infected box.
the infected attachment is run, the program copies itself as SKA.EXE. It
extracts a a dynamic link library (DLL) called SKA.DLL which it copies into
WINDOWS\SYSTEM directory. Happy99 then modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL to a file
called WSOCK32.SKA. If a user is online when Happy99 tries to the
WSOCK32.DLL file, it adds the following "runonce" entry to the registry:
Runonce registry entries are commonly used by setup programs, allowing
setup program to contine once a machine has been rebooted. This approach
the worm to modify the WSOCK.32 file the next time Windows starts.
Additionally, the worm keeps a list of the addresses which received
infected messages in a file called liste.ska.
Here is the recommended way to manually remove the worm:
Delete WINDOWS\SYSTEM\SKA.EXE, then delete the WINDOWS\SYSTEM\SKA.DLL file.
Next, rename the the WINDOWS\SYSTEM\WSOCK32.DLL to WSOCK32.WRM and then
rename the WINDOWS\SYSTEM\WSOCK32.SKA file to WSOCK.DLL. You may then delete
the WSOCK32.WRM file. Finally, find and delete the downloaded file, usually
Bill, Laura, & Sarah Hayes