HAPPY99 travels on its on course and does not propagate as a virus on the host
machine, other than to send itself to others.
The original file HAPPY99.EXE was coded by a virus author known as "Spanska",
known for a number of viruses that infect PE type files. HAPPY99.EXE was
distributed onto newsgroup servers and other places. Users would run the file
and unknown to them, it would send out copies of the worm to anyone they sent
email to. It only works if the user is using an SMTP agent with their email.
When you run HAPPY99.EXE, it displays fireworks - a distraction - as it drops
SKA.EXE and SKA.DLL onto the hard drive. It then makes a backup copy of the
WSOCK32.DLL as WSOCK32.SKA. SKA.EXE hooks calls to SMTP mail and also newsgroup
posting by NNTP protocol. By hooking these calls, SKA.EXE can send itself again
as HAPPY99.EXE as an attachment to emails and posting to newsgroups.
Also HAPPY99 (W32/Ska) keeps a log of emails sent to users in a file called
"liste.ska".
Removal is more or less a manual process:
Boot to MS-DOS (WSOCK32.DLL cannot be changed under Windows)
REName WSOCK32.DLL to WSOCK32.BAD (or delete it)
REName WSOCK32.SKA to WSOCK32.DLL
DELete SKA.EXE, SKA.DLL, LISTE.SKA
The above is sufficient to stop the worm from working.
Restart Windows
The worm also creates the registry entry
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.ex
e="Ska.exe
Using REGEDIT, you can delete this entry. If you don't, Windows will ignore it.
The RMSKA.EXE available on the AVERT Team Stand-alone page will perform the
above for you.
At 04:13 PM 3/17/99 -0500, you wrote:
>how do i get rid of this worm
Bernd D. Ratsch
Pflugerville, TX
bernd@texas.net
http://lonestar.texas.net/~bernd
1997 Dakota SLT-CC (3.9L)
License Plate Frame: "Don't Follow Me...I'm Trolling for Toyota's"
Song for the Day: "Gonna buy me a Dodge Truck and blow those Fords off the
road....."
This archive was generated by hypermail 2b29 : Fri Jun 20 2003 - 12:13:13 EDT