The Happy99 Internet Worm

What is it

  • Happy99.exe was first identified around mid-January 1999 and is now traveling across the Internet via e-mail attachments and newsgroup postings.
    The worm modifies e-mails and newsgroup postings by adding unauthorized attachments without the computer user's knowledge. As a side-effect, it can also create network slowdowns and, in a worst-case scenario, even crash corporate e-mail servers.
    While the computer worm does not destroy or alter files or otherwise cripple computers and networks, it creates a time- and energy-consuming nuisance to network administrators.

More Details

  • Happy99.exe is classified as a computer worm for its ability for self-replication. It arrives to a computer via an e-mail or newsgroup attachment, infecting machines that run the attachment. If the computer user runs the unauthorized attachment, Happy99.exe puts up an attractive fireworks display, which the computer user might mistake for a good-looking accessory to the message.
    However, while the fireworks burst on-screen, the computer worm modifies the winsock32.dll file in order to monitor what e-mails and postings are made from the machine. All Internet access goes through the wsock32.dll file.
    Afterwards, Happy99.exe spams the newsgroup or e-mail recipient with copies of itself any time the computer user tries to send a message across cyberspace.

Who is affected

  • The computer worm works on Windows 95 and 98 platforms.

How to remove the Happy99.exe Virus

  • Steps marked optional are not absolutely necessary and are completely safe to skip if you want to.
    • Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes.
    • At the DOS prompt type this exactly and press enter at the end of each line:
      CD \WINDOWS\SYSTEM
      Thereafter your DOS prompt should say: C:\WINDOWS\SYSTEM
      If your Windows folder is not called WINDOWS then substitute the name of your Windows folder instead, for example: CD \WIN95\SYSTEM
    • Delete SKA.EXE and SKA.DLL by typing DEL SKA.EXE DEL SKA.DLL
      If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.
    • Copy WSOCK32.SKA to WSOCK32.DLL by typing COPY WSOCK32.SKA WSOCK32.DLL
      Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
      Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the virus. You are replacing the modified DLL with the original.
    • Optional. Delete WSOCK32.SKA by typing DEL WSOCK32.SKA You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL
    • Return to Windows by typing EXIT
    • Optional. Click Start Button, then Run, then type regedit in the text box, then click OK. Now click the following in order: HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion.
      Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Regedit. Don't change anything else without making a backup of the registry first.
      If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it.
    • Optional. Choose Start, Programs, Accessories, Notepad, choose File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the list, then delete LISTE.SKA.