The worm that turned


Q Can you please help me to get rid of the happy99.exe virus? Why doesn't McAfee VirusScan 4.01 (4.0.4034) detect it when I know it is there? Help!

- Karl Bader

A Strictly speaking, happy99.exe is actually a worm, not a virus. A worm is a special type of virus that can replicate itself and occupy memory, but canÆt attach itself to other programs. Happy99.exe replicates by sending copies of itself to the Internet as attachments to e-mail messages and USENET news postings, and is one of the first modern Internet worms. It was discovered in Europe in January 1999, and is also known as W32/Ska, W32/Ska-Happy99, Happy99.Worm, Trojan.Happy99, I-Worm.Happy, Happy, or Happy99, although it usually appears as an attachment called happy99.exe. Your computer can only become infected with the Happy99 worm if youÆre running Windows 95 or 98, and you execute the happy99.exe file. If you have Windows NT, your PC is safe because happy99.exe canÆt spread via NT.

When the happy99.exe file is executed, it displays the message, "Happy New Year 1999!!" and then creates a fireworks display, similar to a screensaver. Behind the scenes however, it is busy copying itself into the windows\system directory as a file called ska.exe. Then it extracts, from within itself, a .dll file called ska.dll, and copies that into the windows\system directory too. Next, it makes a copy of wsock32.dll, which is responsible for Internet-connectivity in Windows 95 and 98, modifies it slightly, and renames it as wsock32.ska. Next time you go online, wsock32.dll is activated and triggers the worm by loading its ska.dll file, which monitors your e-mail (smtp) and news (nntp) ports. When it detects a connection, the worm creates and sends a new e-mail message or news article containing the happy99.exe file, without your knowledge. If you were online when you ran the happy99.exe file in the first place, the worm canÆt modify wsock32.dll, so it needs to remind itself to load next time you start Windows. It does this by editing your Registry so that it contains the entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

Most of the popular antivirus packages will delete happy99.exe, but you may have to upgrade your copy so that it is aware of the latest virus definitions. The current version of McAfee VirusScan for Windows 9x is 4.03a, and you can download the updated data files from www.mcafee.com/centers/download. ItÆs also possible to manually remove the happy99 worm from your PC. To do this, disconnect your PC from the Internet, and follow these steps:

1. Delete windows\system\ska.exe.

2. Delete windows\system\ska.dll.

3. In the windows\system\ directory, rename wsock32.dll to wsock32.bak

4. In windows\system\ directory, rename wsock32.ska to wsock32.dll

5. Delete the downloaded attachment, usually called happy99.exe

ItÆs always a good idea to practise safe computing. Don't execute programs from people you don't know, and never run any executable file attachment that comes via an e-mail message from an unknown source. If you receive the attachment called happy99.exe via e-mail simply delete the mail and the attachment to keep your PC clean.

- Belinda Taylor


Category:win9x, antivirus
Issue: November 1999

These Web pages are produced by Australian PC World © 1999 IDG Communications