[alberg30] Directions to cure for happy 99 virus
Marianne King-Wilson
addvalue at zeuter.com
Wed Nov 1 21:35:45 PST 2000
Owen, you can go to
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
or
The cure they recommend is shown below.
Best of luck!
Marianne King-Wilson
Windward 369
When executed, the infected program opens a window
entitled "Happy New Year 1999 !!" and shows a
firework display to disguise its installation. This worm
sends itself to other users when the infected computer
is online.
Also known as: Trojan.Happy99, I-Worm.Happy,
W32.Ska, Happy00
Category: Worm
Infection length: 10,000 bytes
Virus definitions: January 28, 1999
Threat assessment:
Damage:
LOW
Distribution:
HIGH
Wild:
HIGH
Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographic distribution: High
Threat containment: High
Removal: Medium
Damage
Payload: The worm sends itself to other users
when the infected system sends email or posts to
a newsgroup.
Payload Trigger: Online connection allows the
worm to propagate.
Large scale emailing: The happy99.exe file
is attached as a separate email sent in
conjunction with an outgoing email.
Modifies files: WSOCK32.DLL
Distribution
Name of attachment: Happy99.exe, Happy00.exe
Size of attachment: 10,000 bytes
Technical description
HAPPY99.EXE is a worm program, not a virus. This
program has reportedly been received through email
spamming and USENET newsgroup posting. The file is
usually named HAPPY99.EXE and appears as an
attachment to an email or article.
When executed, the program opens a window entitled
"Happy New Year 1999 !!" and shows a fireworks
display to disguise its other actions. The program
copies itself as SKA.EXE and extracts a DLL that it
carries as SKA.DLL into the WINDOWS\SYSTEM
directory. It also modifies WSOCK32.DLL in
WINDOWS\SYSTEM directory and copies the original
WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet connectivity in
Windows 95 and 98. The modification to
WSOCK32.DLL allows the worm routine to be
triggered when a connect or send activity is detected.
When such online activity occurs, the modified code
loads the worm's SKA.DLL. This SKA.DLL creates a
new email or a new article with UUENCODED
HAPPY99.EXE inserted into the email or article. It then
sends this email or posts this article.
If WSOCK32.DLL is in use when the worm tries to
modify it (i.e., a user is online), the worm adds a
registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time
Windows start.
Removal:
Click here to download the Happy99.Worm removal
tool
Manual removal:
All file renaming and deletions can be performed via
Windows Explorer.
1.Delete WINDOWS\SYSTEM\SKA.EXE.
2.Delete WINDOWS\SYSTEM\SKA.DLL.
3.In the WINDOWS\SYSTEM\ directory,rename
WSOCK32.DLL to WSOCK32.BAK.
4.In the WINDOWS\SYSTEM\ directory,rename
WSOCK32.SKA to WSOCK32.DLL.
5.Delete the downloaded file, usually named
HAPPY99.EXE.
Windows prevents you from doing steps 3and 4 above
if the machine is still connected to the Internet. The
file
"windows\system\wsock32.dll" is usedwhenever the
machine is connected to the Internet(through dial-up or
LAN connection).
If you are using dial-up connection (i.e.America
Online), you need to do the following:
1.Terminate internet connection.
2.Delete WINDOWS\SYSTEM\SKA.EXE.
3.Delete WINDOWS\SYSTEM\SKA.DLL.
4.In the WINDOWS\SYSTEM\ directory,rename
WSOCK32.DLL to WSOCK32.BAK.
5.In the WINDOWS\SYSTEM\ directory,rename
WSOCK32.SKA to WSOCK32.DLL.
6.Delete the downloaded file, usually named
HAPPY99.EXE.
If you are connected to Internet through
LAN (i.e. in the office or cable modem), you need to do the
following:
1.On the Windows taskbar, click START >Shut
Down > Restart in DOS mode.
2.At the DOS prompt type CD\windows\system.
3.Type RENAME WSOCK32.DLL
WSOCK32.BAK.
4.Type RENAME WSOCK32.SKA
WSOCK32.DLL.
5.Type DEL SKA.EXE.
6.Type DEL SKA.DLL.
owen m tm truitt wrote:
Looks as if my laptop's caught that virus also -
PERDIDA, #456
-------------------------- eGroups Sponsor -------------------------~-~>
Create your business web site your way now at Bigstep.com.
It's the fast, easy way to get online, to promote your business,
and to sell your products and services. Try Bigstep.com now.
http://click.egroups.com/1/9183/10/_/476031/_/973143355/
---------------------------------------------------------------------_->
973143345.0
More information about the Public-List
mailing list