Happy99.exe: What It Does and How to Remove It
Dateline 02/22/99
Happy99.exe fireworked on uncounted desktops -- and sent itself on to new victims via email. Find out how it does that and how to stop it.
"Up! up! my friend, and quit your books,
Or surely you 'll grow double!
Up! up! my friend, and clear your looks!
Why all this toil and trouble?"
William Wordsworth
The Tables Turned
Happy99.exe
In the past weeks, a virus has not only been in the news but also in many mailboxes and on many people's desktops: Happy99.exe. Fortunately, this Web site has helped demystify Win32/Ska.
Thus I can today tell you what Happy99.exe does and how to remove it once you are "infected".
How not to get Infected
First of all let's see how you can avoid infection altogether. This is appalingly easy.
If you only read Usenet news or your daily dose of email you cannot get infected with Win32/Ska. This is because the virus is a program and has to be run to do its dirty work (like any other program on your computer).
As long as you do not execute Happy99.exe (the virus itself is not known to change its name; still somebody may have altered the name of the executable) there is no danger.
Email Fireworks
Once you do run the virus, it will reward you with a nice new-years firework. Behind the scenes, it is preparing its firework of email messages.
Happy99.exe copies itself into the Windows system directory as SKA.EXE and puts another file, SKA.DLL in the same directory. It then backs up WSOCK32.DLL (the system library that provides Internet connectivity to Windows) as WSOCK32.SKA and modifies the original WSOCK32.DLL to use SKA.DLL when sending email or posting news.
Whenever an email message is sent via SMTP (the protocol normall used to deliver Internet email) or news gets posted to Usenet, the modified WSOCK32.DLL creates a duplicate of the message. This copy of the original message has the same recipient and subject but its body is empty -- except for Happy99.exe being attached. Such copies can be identified by a header line of X-Spanska: Yes.
The Win32/Ska virus keeps track of its victims and not send a message to one address more than one time. Recipients of a copy of Happy99.exe are listed in a file called LISTE.SKA in the Windows system folder.
Happy99.exe can modify WSOCK32.DLL only on Windows 95 and Windows 98. On Windows NT, it will copy SKA.EXE and SKA.DLL to the system folder but fail to alter WSOCK32.DLL. All other systems like Macintosh, Unix, OS/2, BeOS, Windows 3.x, DOS, Amiga are safe from Win32/Ska.
How to Remove Win32/Ska
To get rid of the Win32/Ska virus we have to undo the steps described above. To be able to mess around with system DLLs you should first shut down and reboot your computer in MS-DOS mode.
DOS greets us with an almost-forgotton prompt. We change to the Windows system directory: cd \windows\system.
Here, we first restore our WSOCK32.DLL by copying the back-up copy (fortunately Happy99.exe is more carful than I am) over the modified version: copy wsock32.ska wsock32.dll. Yes, we want to overwrite WSOCK32.DLL. Now we can remove WSOCK32.SKA, but you may want to play it super-safe and not perform this step until you have rebooted and verified that everything works right: del wsock32.ska.
Then we remove SKA.EXE and SKA.DLL: del ska.exe ska.dll.
Now it's time to leave DOS alone and return to Windows: exit.
After the system rebooted you can have a look at who got Happy99.exe from you. Open \windows\system\liste.ska in your favorite editor. Delete the file. If there is no LISTE.SKA this means that Happy99.exe had no chance to attach itself to any message (because you sent none since your WSOCK32.DLL was modified).
There is one more optional step you can perform if you want your system to be real clean. If Happy99.exe cannot change WSOCK32.DLL at the very moment it is run (because WSOCK32.DLL is in use) it will add SKA.EXE to the "RunOnce" section of the system registry. Thus, SKA.EXE is execute the next time the computer starts and will perform the modifications on WSOCK32.DLL.
You can remove that registry entry with the Registry Editor. Run regedit from a DOS prompt or via the Run Start menu command. Click you way down from "HKEY_LOCAL_MACHINE" over "Software", "Microsoft", and "Windows" to "CurrentVersion". If you find "Ska.exe" under "RunOnce" remove it by pressing Del and confirming your choice. Close the Registry Editor and leave it alone.
