Staten Island Web logo



Just want to let everyone know about the 99worm. It's not a virus, but an insidious worm that doesn't do a lot of damage. The problem is that once you have it, it get sent out to everyone you e-mail (without you knowing it.

Below is the profile from Norton's anti-virus encyclopedia. It also tells how to eradicate it, or as it's called at our house, how to kill the worm!

mimi


Happy99.Worm
VirusName:
Happy99.Worm
Aliases:

Trojan.Happy99, I-Worm.Happy
Likelihood:
Common
Region Reported:
World Wide
Characteristics:
Trojan Horse, Worm



Description:

This is a worm program, NOT a virus. This program has reportedly been received through email
spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or
article attachment.

When being executed, the program also opens a window entitled "Happy New Year 1999 !!"
showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and
extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into
WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to
WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is
detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This
SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into
the email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a
registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.


Removing the worm manually:

1.delete WINDOWS\SYSTEM\SKA.EXE
2.delete WINDOWS\SYSTEM\SKA.DLL
3.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
5.delete the downloaded file, usually named HAPPY99.EXE

Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet.
The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e.
through dial-up or LAN connection).


If you are using dial-up connection (i.e. America Online), you need to do the following:

1.terminate internet connection
2.delete WINDOWS\SYSTEM\SKA.EXE
3.delete WINDOWS\SYSTEM\SKA.DLL
4.in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
5.in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
6.delete the downloaded file, usually named HAPPY99.EXE


If you are connected to Internet through LAN (i.e. in the office or cable modem), you need
to do the following:

1.From the Start menu, select shutdown-restart in MS DOS mode
2.type CD \windows\system when DOS C:\)appears
3.type RENAME WSOCK32.DLL WSOCK32.BAK
4.type RENAME WSOCK32.SKA WSOCK32.DLL
5.type DEL SKA.EXE
6.type DEL SKA.DLL


Safe Computing:

This worm and other trojan-horse type programs demonstrate the need to practice safe
computing. One should not execute any executable-file attachment (EXE, SHS, MS Word or
MS Excel file) that comes from an email or a newsgroup article from an untrusted source.

Norton AntiVirus users can protect themselves from this virus by downloading the current virus
definitions either through LiveUpdate or from the following webpage:

http://www.symantec.com/avcenter/download.html

Write-up by: Raul K. Elnitiarta
March 2, 1999



Staten Island WebŪ Forums Index.