W32/SKA Worm Information Description and History of HAPPY99 HAPPY99.EXE is an internet worm known as W32/Ska. Detection is available using the current .DAT files for VirusScan. W32/Ska travels via SMTP email messages sent as a secondary message to an initial sendmail operation. W32/Ska also travels via postings to newsgroups using NNTP protocol in a similar fashion. The original file HAPPY99.EXE was coded by a virus author known as "Spanska", known for a number of viruses that infect PE type files. HAPPY99.EXE was distributed onto newsgroup servers and other places. Users would run the file and unknown to them, it would send out copies of the worm to anyone they sent email to. It only works if the user is using an SMTP agent with their email. If you run HAPPY99.EXE, it displays fireworks - a distraction - as it drops SKA.EXE and SKA.DLL onto the hard drive. It then makes a backup copy of the WSOCK32.DLL as WSOCK32.SKA. The file WSOCK32.DLL is then patched with 2 routines containing instructions to send HAPPY99.EXE as an attachment to emails sent via SMTP and also newsgroup postings by NNTP. Email messages and newsgroup postings containing the HAPPY99.EXE file are separate of your initial email message and post. A log file of email addresses is kept in a file "liste.ska" and is in text format. Removal Instructions A command line tool designed for Win95/Win98 systems is available to remove the worm from your system(s): http://www.avertlabs.com/public/stand_alone/RMSKA.ZIP It performs the necessary steps of renaming and removing files that are listed in the manual steps below: SHUTDOWN | Restart to MS-DOS mode Change directories to the WINDOWS\SYSTEM directory Copy WSOCK32.SKA to WSOCK32.DLL Delete the files SKA.EXE and SKA.DLL Move the file LISTE.SKA to the desktop for editing Restart Windows The MS-DOS instructions to do this are as follows (it is inferred to press the [ENTER] key after each line of instruction) CD C:\WINDOWS\SYSTEM COPY WSOCK32.SKA WSOCK32.DLL /y DEL SKA.??? MOVE LISTE.SKA C:\WINDOWS\DESKTOP\SKALIST.TXT EXIT As a final cleanup, the worm also creates the registry entry that can either be ignored or corrected. The registry entry is in this location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunO nce Ska.exe="Ska.exe" The tool RMSKA.EXE will remove this registry entry for you.