University of Minnesota Duluth - Information
Technology Systems and Services

Happy99 worm hits e-mail, newsgroup users
by Sally Bradt

Happy99 is a computer worm that has reportedly been received through e-mail and USENET newsgroup postings in Europe and North America. It is sent unknowingly by a user as an attachment. Users who receive this attachment (usually called HAPPY99.EXE) via e-mail should delete the mail and the attachment.

Happy99 arrives to a computer via an e-mail or newsgroup attachment but does not infect the machine unless the user runs the attachment. When run, the program opens a window titled "Happy New Year 1999!!" and shows a firework display to disguise its other actions.

While the fireworks burst on-screen, the computer worm modifies the winsock32.dll file in order to monitor what e-mails and postings are made from the machine. Since all Internet access goes through the wsock32.dll file, Happy99.exe can then spam the newsgroup or e-mail recipient with copies of itself any time the computer user tries to send an Internet message. Because it can basically self-replicate, it has been termed a "worm" and not a "virus".

To remove the worm:

  1. Delete WINDOWS\SYSTEM\SKA.EXE.
  2. Delete WINDOWS\SYSTEM\SKA.DLL.
  3. Replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA.
  4. Delete the downloaded file, usually named HAPPY99.EXE.

If you have questions about this worm or find you need assistance removing it, please contact the ITSS Help Desk at x8847.



  



The University of Minnesota is an equal opportunity employer and educator
©1998 University of Minnesota Duluth
email: helpdesk@d.umn.edu
Page URL http://www.d.umn.edu/itss/news/info/spring99/happy99.html
Last Modified on Friday, 31-Mar-2000 10:50:44 CST
Publication Date: 4/99