Remember: Never double-click (or open) ANY file, especially an email attachment, regardless of who sent it, until you first scan that file with your anti virus program.
The happy99.exe virus is of a type known as a "worm", that comes to you generally as an innocuous-seeming attachment in an email.
A worm hitches a ride with something legitimate, a file or a program. In this case the worm rides along in a file called happy99.exe. If you run this program, it opens a window entitled "Happy New Year 1999 !!" and shows a fireworks display. This is merely to disguise the worm's true actions.
When you open, or run, the file happy99.exe, the program (behind the scenes of the lame fireworks display) copies itself as ska.exe and extracts a DLL that it carries as ska.dll into the windows\system directory. It also modifies wsock32.dll in the windows\system directory and copies the original wsock32.dll into wsock32.ska. Wsock32.dll is a very important file, as it handles internet connectivity in Windows 95/98.
The modification to wsock32.dll allows the worm routine to be triggered when a connect (or send) activity is detected. When such online activity occurs, the modified code loads the worm's ska.dll. This ska.dll creates a new email (or a new newsgroup article) with Happy99.exe (uuencoded) inserted into the email (or article), as an attachment. It then sends this email (or posts the article).
If wsock32.dll is in use when the worm tries to modify it (that is, the user is "online"), the worm adds a registry entry:
The registry entry loads the worm the next time Windows starts.
So, what the worm is doing is replicating itself automatically from machine to machine. It does not damage any data or corrupt your files. But it does spread itself around.
A good AV program will find copies of happy99.exe and flag them for you for removal. However, Symantec says that you can clean things up manually if you don't have an anti virus program.
First of all use your file search to search your hard drive for any instance of: happy99.exe, ska.exe, ska.dll, or wsock32.ska. If you find any of these files (or already know that you opened up a lame fireworks display file that was sent to you), you need to follow these steps exactly:
But do inform any "carrier" so appropriate action can be taken. And even though it might be embarrassing, if you are the propagator of a virus, and discover it, notify everyone you may have infected as soon as possible. You may direct them to these pages, or copy and paste the info into your email.
Remember, it's up to us all to practice safe computing.
|§ home § about § news § misc. § art gallery § cabinets § web design § computer basics § compost § gourds § back pages § contact § links §|
|© 1998-2012 Rancho Mondo Productions (www.ranchomondo.com) All rights reserved.|