[Home] [About Us] [FAQs] [Announcements] [Tech Support] [Time On-Line] [Account Change Form]

Happy99.exe Virus
Tools: Mailman - Time Online - Chat Room - News Ticker - eTools - Network News - Order CD
Services: Online Classes - Free Classes - Message Board - Classifieds - Online Help - Bridge Camera
About Us: About Us - New User Info - FAQs - Account Change Form - Tech Info - Fast Wireless Internet
Local: Email Directory - Webpages - Shops - Movies - Golf - Pics - Gov't - Gov't Minutes - Discuss
Starting Places: Excite - Yahoo - Hotbot - Go - Lycos - About.com - Looksmart - Altavista - Search - Google
Cool Stuff: Auctions - Agriculture - Genealogy - Health - Sports - News/Money - Software - eTools - Ask.com

If you think you have gotten the Happy99.exe e-mail attachment PLEASE TAKE IMMEDIATE ACTION as outlined on this webpage.

We have reports of 2 RR1.NET users who have gotten the Happy99.exe virus as of 2/18/99 so if you think you may have gotten the attachment, PLEASE TAKE ACTION. 

If you don't know what to do after reading this, do one of the following:

FOR CUMBERLAND INTERNET USERS:

E-Mail us

Suggestions@rr1.net

 

Call for assistance

217-923-5115

M-F 9 am - 5 pm

Call tech support pager

1-800-412-2692

5 pm - Midnight Mon-St

Bring us your computer

Old Radio Shack in Greenup, IL

M-F 9 am - 5 pm 

(fix should take about 1 day)

{Print out this page for reference)

What is the Happy99.exe virus/worm? Happy99.exe started making its way around the Internet about Jan. 20, sending hundreds of copies of itself via e-mail attachments and newsgroup postings. According to Helsinki, Finland, data security firm Data Fellows Inc., the worm does not attempt to destroy files on infected machines, but it sends e-mails and newsgroup postings without the victim's knowledge and could cause network slowdowns or even crash corporate e-mail servers.

The worm, so designated because it can replicate on its own, arrives as an e-mail or newsgroup attachment and infects only users who run the attachment.

Once they do, all victims see is a window with a fireworks display. But behind the scenes, the worm alters the host computer's winsock32.dll file, the computer's doorway to the Internet. Then, each time a user intiates e-mail or newsgroup activity, by either receiving or sending e-mail or posting to a newsgroup, Happy99 spams the newsgroup or e-mail recipient with copies of itself. Any type of activity on port 25 or 119 will trigger spam activity, according to Takata, senior software support engineer of Data Fellows.

It also keeps a list of the spammed e-mail addresses and newsgroups in a separate file called LISTE.SKA

Read more about the Happy99 virus from these links if you want more info:  Data Fellows Department of Energy/Computer Incident Advisory Capability. McAfee Happy99 Virus Alert

Picture

This is what the fireworks look like on your computer after you have run the program. 

IF YOU HAVE SEEN THIS FIREWORKS PROGRAM RUN ON YOUR COMPUTER, YOU ARE INFECTED AND NEED TO TAKE ACTION TO UN-INFECT YOUR COMPUTER.

This virus does not steal passwords, as some sources have reported. It does not contain any payload other than the fireworks display. Since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. . However using a modified WSOCK32.DLL could cause problems while on the Internet. Restoring the original WSOCK32.DLL will correct these problems.

This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV. However, someone using one of those could pass it along manually, for example by forwarding the message. Under Windows NT it will create SKA.EXE, SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or modify WSOCK32.DLL. If you have NT, you don't have to follow the removal steps

Removal steps:

    1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. It's important to do this so you can make the necessary changes.

    2. At the DOS prompt type this exactly and press enter at the end of each line:

    CD \WINDOWS\SYSTEM

    If that doesn't work, try

    CD SYSTEM

    3. Delete SKA.EXE and SKA.DLL by typing

    DEL SKA.EXE

    DEL SKA.DLL

    If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.

    4. Copy WSOCK32.SKA to WSOCK32.DLL by typing

    COPY WSOCK32.SKA WSOCK32.DLL

    Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL. Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the virus. You are replacing the modified DLL with the original.

    Return to Windows by typing

    EXIT

    Once your computer is uninfected, please take the time to e-mail a message to everyone you e-mailed since you got the Happy99.exe virus.  Please tell them to come to this page and follow the steps to uninfect their computer.

    Finally, please take some action if you think you are infected.  You will be spreading the virus to all your friends with every e-mail you send. We'll help you uninfect your computer!

Cumberland Internet, Inc
P.O. Box 190 Greenup, IL 62428
Phone: 217-923-5115  Fax 217-923-3726 
24 hour information line 217-923-3515
copyright © 1996 Cumberland Internet, Inc.

RR1.Net Acceptable Use Policy
Web Pages:
cmkaye@rr1.net
E-Mail:
suggestions@rr1.net

For Technical Support Call:
217-923-5115 (Mon-Fri 9 a.m.-5 p.m.)
1-800-412-2692 (Pager Mon-Sat 5 p.m.- 9 p.m.)