1. /
  2. Security Response/
  3. Happy99.Worm Removal Tool

Happy99.Worm Removal Tool

Updated:
July 25, 2006 12:00:00 AM
Type:
Removal Information
Introduction
The Happy99.Worm Removal Tool is designed to safely remove Happy99.Worm (a.k.a. W32.Ska) files and restore the WSOCK32.DLL in Windows systems.

Happy99.Worm Removal Tool accomplishes the following:
Deletes the SKA.EXE and SKA.DLL files from the Windows System directory (usually C:\WINDOWS\SYSTEM).
Happy99.Worm inserts these two files when it installs itself to the system.

Restores WSOCK32.DLL.
Happy99.Worm modifies WSOCK32.DLL to hook the mail-sending and newsgroup article-posting routines.

It removes the following Windows Registry modification:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"RunOnce" = "SKA.EXE"

Happy99.Worm adds this Windows Registry entry if WSOCK32.DLL is in use when the worm attempts to modify it (i.e. a user is online or connected to a network).

You will still need to delete the Happy99.Worm file, usually named HAPPY99.EXE (i.e. the file that NAV detects as "Happy99.Worm").

Download
FIXHAPPY.EXE
File name: FIXHAPPY.EXE
File size: 213K

Usage
To use the FIXHAPPY tool, use any *one* of the following methods:
Double click on the file from your desktop or Explorer.
Use the "Run" command from the Windows Start menu.

In order to complete the repair, your system must be REBOOTED.

It will display one of two possible messages upon completion:

Message #1

Your computer is not infected with Happy99!

This message is displayed if Happy99.Worm has NOT been launched on your system. This means the worm has not modified the Windows system.

Message #2

Happy99 was found and has been successfully removed.
Press OK to reboot the computer.

This message is displayed if the tools successfully removed SKA.EXE, SKA.DLL files and restore WSOCK32.DLL file.
Although the FIXHAPPY.EXE program requires no command line arguments, you can run it from a command line. To use this program with command line arguments, type:

FixHappy.EXE /HELP /AUTO /NOREBOOT

The arguments will perform the following tasks:
/HELP - Displays the help dialog.
/AUTO - Performs all actions automatically without any user interface.
/NOREBOOT - Do not reboot the system after a successful Happy99 repair.

Technical information
FixHappy returns the following DOS error codes:

Error Code
0 Happy99 was not found on the system.
1 Happy99 was found on the system but could not be removed due to an error condition.
2 Happy99 was found on the system and removed successfully (pending reboot)
3 Happy99 was found on the system but a reboot did not take place.
4 The user canceled the FixHappy program and it was unable to run to completion.
5 A general error occurred while FixHappy was running.

Troubleshooting
If you have any problems with this tool, please contact Symantec Technical Support for more details.

Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver