[alberg30] Directions to cure for happy 99 virus

Marianne King-Wilson addvalue at zeuter.com
Wed Nov 1 21:35:45 PST 2000


Owen, you can go to
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
or
The cure they recommend is shown below.

Best of luck!
Marianne King-Wilson
Windward 369

                  When executed, the infected program opens a window
                  entitled "Happy New Year 1999 !!" and shows a
                  firework display to disguise its installation. This worm
                  sends itself to other users when the infected computer
                  is online.

                  Also known as: Trojan.Happy99, I-Worm.Happy,
                  W32.Ska, Happy00

                  Category: Worm

                  Infection length: 10,000 bytes

                  Virus definitions: January 28, 1999

                  Threat assessment:





                    Damage:
                     LOW
                             Distribution:

                               HIGH
                                          Wild:
                                         HIGH



                  Wild

                       Number of infections: More than 1000
                       Number of sites: More than 10
                       Geographic distribution: High
                       Threat containment: High
                       Removal: Medium

                  Damage

                       Payload: The worm sends itself to other users
                       when the infected system sends email or posts to
                       a newsgroup.
                       Payload Trigger: Online connection allows the
                       worm to propagate.

                           Large scale emailing: The happy99.exe file
                           is attached as a separate email sent in
                           conjunction with an outgoing email.
                           Modifies files: WSOCK32.DLL

                  Distribution

                       Name of attachment: Happy99.exe, Happy00.exe
                       Size of attachment: 10,000 bytes

                  Technical description

                  HAPPY99.EXE is a worm program, not a virus. This
                  program has reportedly been received through email
                  spamming and USENET newsgroup posting. The file is
                  usually named HAPPY99.EXE and appears as an
                  attachment to an email or article.

                  When executed, the program opens a window entitled
                  "Happy New Year 1999 !!" and shows a fireworks
                  display to disguise its other actions. The program
                  copies itself as SKA.EXE and extracts a DLL that it
                  carries as SKA.DLL into the WINDOWS\SYSTEM

                  directory. It also modifies WSOCK32.DLL in

                  WINDOWS\SYSTEM directory and copies the original
                  WSOCK32.DLL into WSOCK32.SKA.

                  WSOCK32.DLL handles internet connectivity in
                  Windows 95 and 98. The modification to
                  WSOCK32.DLL allows the worm routine to be
                  triggered when a connect or send activity is detected.
                  When such online activity occurs, the modified code
                  loads the worm's SKA.DLL. This SKA.DLL creates a
                  new email or a new article with UUENCODED
                  HAPPY99.EXE inserted into the email or article. It then
                  sends this email or posts this article.

                  If WSOCK32.DLL is in use when the worm tries to
                  modify it (i.e., a user is online), the worm adds a
                  registry entry:

                  HKEY_LOCAL_MACHINE\Software\Microsoft\
                  Windows\CurrentVersion\RunOnce=SKA.EXE

                  The registry entry loads the worm the next time
                  Windows start.

                  Removal:

                  Click here to download the Happy99.Worm removal
                  tool

                  Manual removal:

                  All file renaming and deletions can be performed via
                  Windows Explorer.

                    1.Delete WINDOWS\SYSTEM\SKA.EXE.
                    2.Delete WINDOWS\SYSTEM\SKA.DLL.
                    3.In the WINDOWS\SYSTEM\ directory,rename
                       WSOCK32.DLL to WSOCK32.BAK.
                    4.In the WINDOWS\SYSTEM\ directory,rename
                       WSOCK32.SKA to WSOCK32.DLL.
                    5.Delete the downloaded file, usually named
                       HAPPY99.EXE.

                  Windows prevents you from doing steps 3and 4 above
                  if the machine is still connected to the Internet. The
file
                  "windows\system\wsock32.dll" is usedwhenever the
                  machine is connected to the Internet(through dial-up or
                  LAN connection).

                  If you are using dial-up connection (i.e.America
                  Online), you need to do the following:

                    1.Terminate internet connection.
                    2.Delete WINDOWS\SYSTEM\SKA.EXE.
                    3.Delete WINDOWS\SYSTEM\SKA.DLL.
                    4.In the WINDOWS\SYSTEM\ directory,rename
                       WSOCK32.DLL to WSOCK32.BAK.
                    5.In the WINDOWS\SYSTEM\ directory,rename
                       WSOCK32.SKA to WSOCK32.DLL.
                    6.Delete the downloaded file, usually named
                       HAPPY99.EXE.

                  If you are connected to Internet through
LAN (i.e. in the office or cable modem), you need to do the
following:

                    1.On the Windows taskbar, click START >Shut
                       Down > Restart in DOS mode.
                    2.At the DOS prompt type CD\windows\system.
                    3.Type RENAME WSOCK32.DLL
                       WSOCK32.BAK.
                    4.Type RENAME WSOCK32.SKA
                       WSOCK32.DLL.
                    5.Type DEL SKA.EXE.
                    6.Type DEL SKA.DLL.





owen m tm truitt wrote:
Looks as if my laptop's caught that virus also -
 PERDIDA, #456




-------------------------- eGroups Sponsor -------------------------~-~>
Create your business web site your way now at Bigstep.com.
It's the fast, easy way to get online, to promote your business,
and to sell your products and services. Try Bigstep.com now.
http://click.egroups.com/1/9183/10/_/476031/_/973143355/
---------------------------------------------------------------------_->



 973143345.0


More information about the Public-List mailing list