Getting rid of that Worm..Happy.exe
Happy.exe
Folks, you need to be VERY careful about attachments you receive
from unknown emailers. The most recent problem is called
HAPPY.EXE or Happy99.exe.... or some such. When you see "exe" at
the end of a file name which you receive as an attachment, DON'T
execute it!!!! If you have a friend who is sending you a program,
make sure what you have is what they sent! Run your virus scanner
before opening, even so. Programs like this are called "worms".
Happy????? itself, and how to kill it!
This is a worm program, NOT a virus. This program has reportedly been
received through email spamming and USENET newsgroup posting. The file
is usually named HAPPY99.EXE in the email or article attachment.
When being executed, the program also opens a window entitled "Happy
New Year 1999 !!" showing a firework display to disguise its other
actions. The program copies itself as SKA.EXE and extracts a DLL that
it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies
WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original
WSOCK32.DLL into WSOCK32.SKA.
WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The
modification to WSOCK32.DLL allows the worm routine to be triggered
when a connect or send activity is detected. When such online activity
occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL
creates a new email or a new article with UUENCODED HAPPY99.EXE
inserted into the email or article. It then sends this email or posts
this article.
If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user
is online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE
The registry entry loads the worm the next time Windows start.
Removing the worm manually:
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
delete the downloaded file, usually named HAPPY99.EXE
Windows prevents you to do step #3 and #4 above if the machine is
still connected to the Internet. The file "windows\system\wsock32.dll"
is used whenever the machine is connected to Internet (i.e. through
dial-up or LAN connection).
If you are using dial-up connection (i.e. America Online), you need to
do the following:
terminate internet connection
delete WINDOWS\SYSTEM\SKA.EXE
delete WINDOWS\SYSTEM\SKA.DLL
in WINDOWS\SYSTEM\ directory, rename WSOCK32.DLL to WSOCK32.BAK
in WINDOWS\SYSTEM\ directory, rename WSOCK32.SKA to WSOCK32.DLL
delete the downloaded file, usually named HAPPY99.EXE
If you are connected to Internet through LAN (i.e. in the office or
cable modem), you need to do the following:
From the Start menu, select shutdown-restart in MS DOS mode
type CD \windows\system when DOS prompt (C:\)appears
type RENAME WSOCK32.DLL WSOCK32.BAK
type RENAME WSOCK32.SKA WSOCK32.DLL
type DEL SKA.EXE
type DEL SKA.DLL
Back to the FAQ page!
[an error occurred while processing this directive] wonderful Irish genealogist to have visited!
© 1999-2002 Fianna Web Team
Last modified Monday, 10-Sep-2018 17:03:13 MDT
This page hosted by Rootsweb