rancho mondo logo

home page all about us here at rancho mondo latest news from rancho mondo music, games, and downloads the rancho mondo art gallery cabinets by Jim Fish rancho mondo does web design computer basics - what everyone should know the How to Make Compost manual gourds from rancho mondo advice on back care how to contact rancho mondo links we find useful
Happy99


Remember: Never double-click (or open) ANY file, especially an email attachment, regardless of who sent it, until you first scan that file with your anti virus program.

The happy99.exe virus is of a type known as a "worm", that comes to you generally as an innocuous-seeming attachment in an email.

A worm hitches a ride with something legitimate, a file or a program.  In this case the worm rides along in a file called happy99.exe.  If you run this program, it opens a window entitled "Happy New Year 1999 !!" and shows a fireworks display.  This is merely to disguise the worm's true actions.

When you open, or run, the file happy99.exe, the program (behind the scenes of the lame fireworks display) copies itself as ska.exe and extracts a DLL that it carries as ska.dll into the windows\system directory.  It also modifies wsock32.dll in the windows\system directory and copies the original wsock32.dll into wsock32.ska.  Wsock32.dll is a very important file, as it handles internet connectivity in Windows 95/98.

The modification to wsock32.dll allows the worm routine to be triggered when a connect (or send) activity is detected.  When such online activity occurs, the modified code loads the worm's ska.dll.  This ska.dll creates a new email (or a new newsgroup article) with Happy99.exe (uuencoded) inserted into the email (or article), as an attachment.  It then sends this email (or posts the article).

If wsock32.dll is in use when the worm tries to modify it (that is, the user is "online"), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows starts.

So, what the worm is doing is replicating itself automatically from machine to machine.  It does not damage any data or corrupt your files.  But it does spread itself around.



If Infected

A good AV program will find copies of happy99.exe and flag them for you for removal.  However, Symantec says that you can clean things up manually if you don't have an anti virus program.

First of all use your file search to search your hard drive for any instance of: happy99.exe, ska.exe, ska.dll, or wsock32.ska.  If you find any of these files (or already know that you opened up a lame fireworks display file that was sent to you), you need to follow these steps exactly:
  • 1.)  delete windows\system\ska.exe
  • 2.)  delete windows\system\ska.dll
  • 3.)  replace windows\system\wsock32.dll with windows\system\wsock32.ska (by simply renaming it back to it's original name, wsock32.dll)
  • 4.)  delete the downloaded file, usually named happy99.exe.
If you receive such a message fitting this description, simply don't open the happy99.exe attachment.  If there is any text, you can read your message, then delete the offending email with attachment.  You should then advise the sender that they have been infected.  Don't be hostile, anyone is subject to malicious virus infection, and often is quite unaware that they are infecting others.

But do inform any "carrier" so appropriate action can be taken.  And even though it might be embarrassing, if you are the propagator of a virus, and discover it, notify everyone you may have infected as soon as possible.  You may direct them to these pages, or copy and paste the info into your email.

Remember, it's up to us all to practice safe computing.

Virus InfoMelissa


§  home  §   about  §   news  §   misc.  §   art gallery  §   cabinets  §   web design  §   computer basics  §   compost  §   gourds  §   back pages  §   contact  §   links  §  
©  1998-2006 Rancho Mondo Productions  (www.ranchomondo.com)   All rights reserved.