1. /
  2. Security Response/
  3. Happy99.Worm

Happy99.Worm - Removal

Risk Level 2: Low

Discovered:
January 27, 1999
Updated:
February 13, 2007 11:35:50 AM
Also Known As:
Trojan.Happy99, I-Worm.Happy, W32.Ska, Happy00
Type:
Worm
Systems Affected:
Windows 3.x, Windows 95, Windows 98, Windows Me
CVE References:
CVE-1999-0668

The Happy99. Worm places several hidden files on the hard disk and makes changes to the Windows registry. There is more than one way to remove the Happy99.Worm from an infected computer. We recommended that you try the automatic removal procedure first.

Automatic removal using Fixhappy.exe
SARC has developed a tool named Fixhappy.exe to help you remove this worm. In most cases, this is the easiest way to do this. The tool and instructions for using it are available as a free download from:

http://www.sarc.com/avcenter/venc/data/fix.happy99.worm.html

If the Fixhappy.exe tool does not successfully remove Happy99.Worm, or if you do not have Internet access, then proceed to the next section to remove the worm manually.

Manual removal of the Happy99.Worm
If you cannot remove the worm by using the removal tool, then you must manually remove the worm. How you do this depends on whether you still have a copy of the original Wsock32.dll file (the file that is used by the worm) on the computer. Follow the instructions in the order given.

NOTE: This procedure is somewhat complex, and assumes that you are familiar with basic DOS and Windows procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

Most of the steps to manually remove this worm are performed in Safe mode. Follow the instructions in the order given in each section.

Enable show all files
Follow these steps to ensure that Windows is set to show all files:
  1. Start Windows Explorer.
  2. Click View, and then click Options or Folder options.
  3. Click the View tab, and then uncheck "Hide file extensions for known file types."
  4. Click Show all files, and then click OK.

Restart the computer in Safe mode
To remove the Happy99.Worm, the computer must be in Safe mode. Follow these steps to do this:
  • If you are using Windows 95:
    1. Exit all programs, and then shut down the computer.
    2. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    3. Turn on the computer. When you see the "Starting Windows 95" message, press F8.
    4. Type the number that corresponds with Safe mode, and then press Enter.
  • If you are using Windows 98:
    1. Click Start, and click Run.
    2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs, and then shut down the computer.
    6. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    7. Turn on the computer, and wait for the menu.
    8. Type the number that corresponds with Safe mode, and then press Enter.

NOTES:
  • Before continuing with these instructions, ensure that "Safe mode" appears in all four corners of the Windows desktop. Otherwise, you are not in Safe mode, and you cannot completely remove the worm.
  • If you are running Windows 98, when you are finished with the entire removal procedure, start the System Configuration Utility again and uncheck "Enable Startup Menu."

Find Wsock32.ska
Follow these steps to locate (if it still exists) the Wsock32.ska file (this is the backup, made by the worm, of the Wsock32.dll Windows file:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
  3. Type wsock32.ska in the Named box, and then click Find Now.
  4. What you do next depends on whether a copy of Wsock32.ska was found.
    • If no copy of Wsock32.ska was found, and you are sure that you typed the file name exactly as shown, then you do not have a copy of the original Wsock32.dll file on the computer. This can happen if the worm was run more than once. In this case, do not continue with the instructions in this section, but instead skip to the Alternate manual removal of the Happy99.Worm when no Wsock32.ska exists section.
    • If Wsock32.ska was found, then you must leave it alone for now. (You will rename it later, in one of the sections that follows.)
  5. Click New Search to clear the current search, and then go on to the next section.
Find and delete the infected Wsock32.dll
Follow these steps to locate and delete the Wsock32.dll file that was placed on the hard drive by the worm:
  1. Type wsock32.dll in the Named box, and then click Find Now.
  2. Right-click the Wsock32.dll file in the results pane, click Delete, and then click Yes to confirm.

    NOTE: If, after clicking Yes, you see a message saying that "Windows could not delete this file," then skip to the Alternate manual removal of the Happy99.Worm when no Wsock32.ska exists section.
  3. Click New Search to clear the current search, and then proceed to the next section.

Find and delete files
Follow these steps to locate and delete other files that were placed on the hard drive by the worm:
  1. Type (or copy and paste) the following file names in the Named box, and then click Find Now:

    ska.exe  ska.dll  happy99.exe  liste.ska

    CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed and, if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
  2. Right-click each file in the results pane, click Delete, and then click Yes to confirm.
  3. Click New Search to clear the current search, and then proceed to the next section.

Find and rename the Wsock.ska file
Follow these steps to restore the original Wsock32.dll file:
  1. Type wsock32.ska in the Named box, and then click Find Now.
  2. Right-click the Wsock32.ska file in the results pane, and click Rename.
  3. Type wsock32.dll and then press Enter.

    NOTE: If you see a message saying that "Windows could not rename this file," then skip to the Alternate manual removal of the Happy99.Worm when no Wsock32.ska exists section.
  4. Close the Find Files window.

Empty the Recycle Bin
To make sure that the files are removed from the computer, right-click the Recycle Bin icon on the Windows desktop, and click Empty Recycle Bin.

Remove the registry entries left by Happy99.Worm
This will not be necessary in all cases. If you have not seen messages that refer to a "missing ska.exe" file, then you can skip this section for now. If you see such a message after you restart the computer, then return to this section and follow the instructions. In that case, it is not necessary to restart in Safe mode.

If you have seen the "missing ska.exe" message, then follow these steps:

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run.
  2. Type regedit and then press Enter.
  3. Navigate to the following subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunOnce

  4. In the right pane, select the following value, press Delete, and then click Yes to confirm:

    SKA.EXE
  5. Exit the Registry Editor.

Restart the computer
This concludes the removal procedure. Restart the computer, and then verify that you can use your Web browser.

Alternate manual removal of the Happy99.Worm when no Wsock32.ska file exists
This alternate procedure should be followed only if you have been directed to use it by the instructions in the previous section or by a Symantec technician. It assumes that you have already followed the instructions in the first two sections of Manual removal of the Happy99.Worm. (Show All Files is enabled, and you are working in Safe mode.)

Find and delete files
Follow these steps to locate and delete files that were placed on the hard drive by the worm:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that "Look in:" is set to (C:) and that "Include subfolders" is checked.
  3. Type (or copy and paste) the following file names in the Named box, and then click Find Now:

    ska.exe  ska.dll  happy99.exe  liste.ska  wsock32.ska  wsock32.dll

    CAUTION: In the next step you will delete these files from your computer. Make sure that you delete only the files listed and, if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
  4. Right-click each file in the results pane, click Delete, and then click Yes to confirm.
  5. Close the Find Files window.
  6. Restart the computer, and allow Windows to start. You may see one or more error messages. Just click Yes or OK to each.

Extract a new copy of the Wsock32.dll file
This is necessary because the original Wsock32.dll file has been overwritten or damaged. You need to use the Extract command at a DOS prompt. Follow these steps to do this. Follow the instructions for your version of Windows.
    NOTES:
    • You need the Windows installation CD.
    • When you type the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98 and the CD-ROM drive is the D drive, then you would type:

      extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system
    • If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder.
    • For detailed instructions on use of the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
    • As a somewhat easier alternative to the following procedure, if you are using Windows 98 you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
    1. Click Start, point to Programs, and click MS-DOS Prompt. A DOS window appears.
    2. Type the command for your version of Windows:
      • If you are running Windows 98, type the following, and then press Enter:

        extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system
      • If you are running Windows 95, type the following, and then press Enter:

        extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system
    3. If you see an error message of any kind, then repeat step 2, making sure that you typed it exactly as shown, and that you typed the correct command for your version of Windows. Otherwise, type exit and then press Enter.

    Empty the Recycle Bin
    To make sure that the files are removed from the computer, right-click the Recycle Bin icon on the Windows desktop and click Empty Recycle Bin.

    Remove the registry entries left by Happy99.Worm
    This will not be necessary in all cases. If you have not seen messages referring to a "missing ska.exe" file, then you can skip this section for now. If you see such a message after you restart the computer, then return to this section and follow the instructions. In that case, it is not necessary to restart in Safe mode.

    If you have seen the "missing ska.exe" message, then follow these steps:

    CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
    1. Click Start, and click Run.
    2. Type regedit and then press Enter.
    3. Navigate to the following subkey.

      HKEY_LOCAL_MACHINE\Software\Microsoft\
      Windows\CurrentVersion\RunOnce

    4. Select the following value in the right pane, press Delete, and then click Yes to confirm:

      SKA.EXE
    5. Exit the Registry Editor.

    Restart the computer
    This concludes the removal procedure. Restart the computer and verify that you can use your Web browser.


    Writeup By: Raul Elnitiarta

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report
    Symantec DeepSight Screensaver