-
Happy99
is a Win32 based Trojan program. When this program is executed
it will display some fireworks. Apart from the fireworks display
this program will do some other activity in the background
without the user's permission. In the background this program
will create two files SKA.EXE and SKA.DLL. It will alter WSOCK32.DLL
to put its code into that file and keep the original file
as WSOCK32.SKA. It can not modify the WSOCK32.DLL file if
it is in use. In such a case this program will add an entry
to the Windows Registry to run SKA.EXE the next time the computer
is booted so that it can do these modifications. The size
of this trojan file is 10000 bytes.
This
virus does not steal passwords, as some sources have reported.
It does not contain any payload other than the fireworks display.
However, it could overload an e-mail server if a lot of copies
get passed around. Also, since it gets passed along a lot,
a different virus could attach to HAPPY99.EXE somewhere along
the way. This virus does not affect Macs, DOS, or Windows
3.x.
You
will not get infected by Happy99 merely by downloading the
trojan file. You will have to execute it to get infected.
The
modified WSOCK32.DLL has routines to detect the email and
newsgroup postings made by the user. It will send a copy of
the SKA.EXE file renamed as happy99.exe to every user or newsgroup
to whom the user has sent an email. Each recipient will get
the email only once and the trojan will not send repeat email
to the same user. It will send a separate email retaining
the subject of the first email with the file as an attachment.
The trojan also maintains the file LISTE.SKA which contains
the list of all email addresses and newsgroups to which this
file has been sent. The unique function of this trojan is
that it can spread on its own.
Happy99
first apeared in January 1999 and it is reported to have affected
a lot of users.
Other
names of happy99:
This
trojan is also known as win32.ska.a, ska, wsock32.ska and
ska.exe.
What
is happy99? Trojan, Virus or Worm?
This
program can only be classified as a Trojan. It is not a virus
as it does not replicate itself. It does not attach itself
any other file or program. It is also not a worm as even though
it can spread on its own, it needs to be executed to get control.
A worm is capable of spreading and infecting the target computer
on its own. Happy99/Ska is a trojan with the capability to
distribute itself.
Removing
happy99 from your computer:
You
can remove this trojan manually from your computer. To do
that, first check the WINDOWS\SYTEM folder for the presence
of these files.
1.
SKA.EXE
2. SKA.DLL
3. WSOCK32.SKA
If
you find these files then you have been attacked by the Happy99
Trojan. To remove this trojan do the following:
1.
Delete SKA.EXE, SKA.DLL and WSOCK32.DLL
2. Rename WSOCK32.SKA as WSOCK32.DLL
Make
sure that you have WSOCK32.SKA file before deleting WSOCK32.DLL
and ensure that you have renamed this file properly. You may
have to close your Browser, Email software, etc. to delete
and rename the DLL files.