The Happy99 Internet Worm
What is it
- Happy99.exe was first identified around mid-January 1999 and is now
traveling across the Internet via e-mail attachments and newsgroup postings.
The worm modifies e-mails and newsgroup postings by adding unauthorized
attachments without the computer user's knowledge. As a side-effect, it can also
create network slowdowns and, in a worst-case scenario, even crash corporate
While the computer worm does not destroy or alter files or otherwise cripple
computers and networks, it creates a time- and energy-consuming nuisance to
- Happy99.exe is classified as a computer worm for its ability for self-replication.
It arrives to a computer via an e-mail or newsgroup attachment, infecting machines
that run the attachment. If the computer user runs the unauthorized attachment,
Happy99.exe puts up an attractive fireworks display, which the computer user might
mistake for a good-looking accessory to the message.
However, while the fireworks burst on-screen, the computer worm modifies the
winsock32.dll file in order to monitor what e-mails and postings are made from the
machine. All Internet access goes through the wsock32.dll file.
Afterwards, Happy99.exe spams the newsgroup or e-mail recipient with copies of
itself any time the computer user tries to send a message across cyberspace.
Who is affected
- The computer worm works on Windows 95 and 98 platforms.
How to remove the Happy99.exe Virus
- Steps marked optional are not absolutely necessary and are completely safe to
skip if you want to.
- Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then
- At the DOS prompt type this exactly and press enter at the
end of each line:
Thereafter your DOS prompt should say: C:\WINDOWS\SYSTEM
If your Windows folder is not called WINDOWS then substitute the
name of your Windows folder instead, for example: CD \WIN95\SYSTEM
- Delete SKA.EXE and SKA.DLL by typing DEL SKA.EXE DEL SKA.DLL
If you get "File not found" you're either not infected or in the
wrong directory. Make sure you're in your Windows System directory; check to
see if you followed step 2 exactly.
- Copy WSOCK32.SKA to WSOCK32.DLL by typing COPY WSOCK32.SKA WSOCK32.DLL
Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the
virus. You are replacing the modified DLL with the original.
- Optional. Delete WSOCK32.SKA by typing DEL WSOCK32.SKA You can leave
WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL
- Return to Windows by typing EXIT
- Optional. Click Start Button, then Run, then type regedit in the text box,
then click OK. Now click the following in order: HKEY_LOCAL_MACHINE,
then Software, then Microsoft, then Windows, then CurrentVersion.
Under RunOnce check for SKA.EXE and select it if it is there.
Press delete and then click Yes. Close Regedit. Don't change anything else
without making a backup of the registry first.
If you don't find SKA.EXE in the registry, it doesn't mean
you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is
unable to modify WSOCK32.DLL when you run it.
- Optional. Choose Start, Programs, Accessories, Notepad, choose File, then
Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the
people on the list, then delete LISTE.SKA.