Discovered: January 27, 1999
Updated: February 13, 2007 11:35:50 AM
Also Known As: Trojan.Happy99, I-Worm.Happy, W32.Ska, Happy00
Type: Worm
Systems Affected: Windows
CVE References: CVE-1999-0668


When executed, the infected program opens a window entitled "Happy New Year 1999 !!" and shows a fireworks display to disguise its installation. This worm sends itself to other users when the infected computer is online.



The following error messages can be symptoms of Happy99.Worm:

"MSIMN caused an invalid page fault in module Kernel32.dll"
"MSIMN caused an invalid page fault in module unknown"
"Explorer caused an invalid page fault in module Mailnews.dll at 014f:62060a0f"
"Outlook caused an Invalid Page Fault in module Unknown"
"MSIMN caused an invalid page fault in module Inetcomm.dll"

For additional information on these errors, see the Microsoft Knowledge Base article OLEXP: Error Message: "Invalid Page Fault in Kernel32.dll" with Happy99.exe Virus , Article ID: Q221486


Antivirus Protection Dates

  • Initial Rapid Release version January 28, 1999
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version January 28, 1999
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date January 28, 1999

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Raul Elnitiarta

Discovered: January 27, 1999
Updated: February 13, 2007 11:35:50 AM
Also Known As: Trojan.Happy99, I-Worm.Happy, W32.Ska, Happy00
Type: Worm
Systems Affected: Windows
CVE References: CVE-1999-0668


The Happy99.Worm can be received as an email attachment or from newsgroup postings. The attachment is usually named Happy99.exe.

When executed, the worm opens a window titled "Happy New Year 1999 !!" and shows a fireworks display to disguise its installation. The worm sends itself to other users when the infected computer is online.

In addition, the worm does the following:

  • Copies itself as Ska.exe
  • Extracts Ska.dll to C:\Windows\System
  • Modifies the Wsock32.dll file in C:\Windows\System by copying the existing Wsock32.dll to Wsock32.ska

NOTES:
  • The Wsock32.dll file enables Internet connectivity in Windows 95/98. This modification to the Wsock32.dll file enables the worm to run when it detects connect or send activity in the Wsock32.dll file. When such online activity occurs, the modified Wsock32.dll code does the following:
    1. Wsock32.dll loads Ska.dll into memory.
    2. Ska.dll creates a new email or article and inserts an encoded copy of Happy99.exe as an attachment.
    3. It then sends or posts the message.
  • If the Wsock32.dll file is in use when the worm tries to modify it, such as when a user is online, then the worm adds string value SKA.EXE to the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    This causes the worm to load the next time Windows starts.
  • The worm keeps a list of addresses that have been sent infected emails in the Liste.ska file.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Raul Elnitiarta

Discovered: January 27, 1999
Updated: February 13, 2007 11:35:50 AM
Also Known As: Trojan.Happy99, I-Worm.Happy, W32.Ska, Happy00
Type: Worm
Systems Affected: Windows
CVE References: CVE-1999-0668


The Happy99. Worm places several hidden files on the hard disk and makes changes to the Windows registry. There is more than one way to remove the Happy99.Worm from an infected computer. We recommended that you try the automatic removal procedure first.

Automatic removal using Fixhappy.exe
SARC has developed a tool named Fixhappy.exe to help you remove this worm. In most cases, this is the easiest way to do this. The tool and instructions for using it are available as a free download from:

http://www.sarc.com/avcenter/venc/data/fix.happy99.worm.html

If the Fixhappy.exe tool does not successfully remove Happy99.Worm, or if you do not have Internet access, then proceed to the next section to remove the worm manually.

Manual removal of the Happy99.Worm
If you cannot remove the worm by using the removal tool, then you must manually remove the worm. How you do this depends on whether you still have a copy of the original Wsock32.dll file (the file that is used by the worm) on the computer. Follow the instructions in the order given.

NOTE: This procedure is somewhat complex, and assumes that you are familiar with basic DOS and Windows procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

Most of the steps to manually remove this worm are performed in Safe mode. Follow the instructions in the order given in each section.

Enable show all files
Follow these steps to ensure that Windows is set to show all files:

  1. Start Windows Explorer.
  2. Click View, and then click Options or Folder options.
  3. Click the View tab, and then uncheck "Hide file extensions for known file types."
  4. Click Show all files, and then click OK.

Restart the computer in Safe mode
To remove the Happy99.Worm, the computer must be in Safe mode. Follow these steps to do this:
  • If you are using Windows 95:
    1. Exit all programs, and then shut down the computer.
    2. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    3. Turn on the computer. When you see the "Starting Windows 95" message, press F8.
    4. Type the number that corresponds with Safe mode, and then press Enter.
  • If you are using Windows 98:
    1. Click Start, and click Run.
    2. Type msconfig and then Click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs, and then shut down the computer.
    6. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    7. Turn on the computer, and wait for the menu.
    8. Type the number that corresponds with Safe mode, and then press Enter.

NOTES:
  • Before continuing with these instructions, ensure that "Safe mode" appears in all four corners of the Windows desktop. Otherwise, you are not in Safe mode, and you cannot completely remove the worm.
  • If you are running Windows 98, when you are finished with the entire removal procedure, start the System Configuration Utility again and uncheck "Enable Startup Menu."

Find Wsock32.ska
Follow these steps to locate (if it still exists) the Wsock32.ska file (this is the backup, made by the worm, of the Wsock32.dll Windows file:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
  3. Type wsock32.ska in the Named box, and then click Find Now.
  4. What you do next depends on whether a copy of Wsock32.ska was found.
    • If no copy of Wsock32.ska was found, and you are sure that you typed the file name exactly as shown, then you do not have a copy of the original Wsock32.dll file on the computer. This can happen if the worm was run more than once. In this case, do not continue with the instructions in this section, but instead skip to the Alternate manual removal of the Happy99.Worm when no Wsock32.ska exists section.
    • If Wsock32.ska was found, then you must leave it alone for now. (You will rename it later, in one of the sections that follows.)
  5. Click New Search to clear the current search, and then go on to the next section.
Find and delete the infected Wsock32.dll
Follow these steps to locate and delete the Wsock32.dll file that was placed on the hard drive by the worm:
  1. Type wsock32.dll in the Named box, and then click Find Now.
  2. Right-click the Wsock32.dll file in the results pane, click Delete, and then click Yes to confirm.

    NOTE: If, after clicking Yes, you see a message saying that "Windows could not delete this file," then skip to the Alternate manual removal of the Happy99.Worm when no Wsock32.ska exists section.
  3. Click New Search to clear the current search, and then proceed to the next section.

Find and delete files
Follow these steps to locate and delete other files that were placed on the hard drive by the worm:
  1. Type (or copy and paste) the following file names in the Named box, and then click Find Now:

    ska.exe  ska.dll  happy99.exe  liste.ska

    CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed and, if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
  2. Right-click each file in the results pane, click Delete, and then click Yes to confirm.
  3. Click New Search to clear the current search, and then proceed to the next section.

Find and rename the Wsock.ska file
Follow these steps to restore the original Wsock32.dll file:
  1. Type wsock32.ska in the Named box, and then click Find Now.
  2. Right-click the Wsock32.ska file in the results pane, and click Rename.
  3. Type wsock32.dll and then press Enter.

    NOTE: If you see a message saying that "Windows could not rename this file," then skip to the Alternate manual removal of the Happy99.Worm when no Wsock32.ska exists section.
  4. Close the Find Files window.

Empty the Recycle Bin
To make sure that the files are removed from the computer, right-click the Recycle Bin icon on the Windows desktop, and click Empty Recycle Bin.

Remove the registry entries left by Happy99.Worm
This will not be necessary in all cases. If you have not seen messages that refer to a "missing ska.exe" file, then you can skip this section for now. If you see such a message after you restart the computer, then return to this section and follow the instructions. In that case, it is not necessary to restart in Safe mode.

If you have seen the "missing ska.exe" message, then follow these steps:

CAUTION : We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run.
  2. Type regedit and then press Enter.
  3. Navigate to the following subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunOnce
  4. In the right pane, select the following value, press Delete, and then click Yes to confirm:

    SKA.EXE
  5. Exit the Registry Editor.

Restart the computer
This concludes the removal procedure. Restart the computer, and then verify that you can use your Web browser.

Alternate manual removal of the Happy99.Worm when no Wsock32.ska file exists
This alternate procedure should be followed only if you have been directed to use it by the instructions in the previous section or by a Symantec technician. It assumes that you have already followed the instructions in the first two sections of Manual removal of the Happy99.Worm. (Show All Files is enabled, and you are working in Safe mode.)

Find and delete files
Follow these steps to locate and delete files that were placed on the hard drive by the worm:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that "Look in:" is set to (C:) and that "Include subfolders" is checked.
  3. Type (or copy and paste) the following file names in the Named box, and then click Find Now:

    ska.exe  ska.dll  happy99.exe  liste.ska  wsock32.ska  wsock32.dll

    CAUTION: In the next step you will delete these files from your computer. Make sure that you delete only the files listed and, if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
  4. Right-click each file in the results pane, click Delete, and then click Yes to confirm.
  5. Close the Find Files window.
  6. Restart the computer, and allow Windows to start. You may see one or more error messages. Just click Yes or OK to each.

Extract a new copy of the Wsock32.dll file
This is necessary because the original Wsock32.dll file has been overwritten or damaged. You need to use the Extract command at a DOS prompt. Follow these steps to do this. Follow the instructions for your version of Windows.
    NOTES:
    • You need the Windows installation CD.
    • When you type the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98 and the CD-ROM drive is the D drive, then you would type:

      extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system
    • If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder.
    • For detailed instructions on use of the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
    • As a somewhat easier alternative to the following procedure, if you are using Windows 98 you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
    1. Click Start, point to Programs, and click MS-DOS Prompt. A DOS window appears.
    2. Type the command for your version of Windows:
      • If you are running Windows 98, type the following, and then press Enter:

        extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system
      • If you are running Windows 95, type the following, and then press Enter:

        extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system
    3. If you see an error message of any kind, then repeat step 2, making sure that you typed it exactly as shown, and that you typed the correct command for your version of Windows. Otherwise, type exit and then press Enter.

    Empty the Recycle Bin
    To make sure that the files are removed from the computer, right-click the Recycle Bin icon on the Windows desktop and click Empty Recycle Bin.

    Remove the registry entries left by Happy99.Worm
    This will not be necessary in all cases. If you have not seen messages referring to a "missing ska.exe" file, then you can skip this section for now. If you see such a message after you restart the computer, then return to this section and follow the instructions. In that case, it is not necessary to restart in Safe mode.

    If you have seen the "missing ska.exe" message, then follow these steps:

    CAUTION : We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
    1. Click Start, and click Run.
    2. Type regedit and then press Enter.
    3. Navigate to the following subkey.

      HKEY_LOCAL_MACHINE\Software\Microsoft\
      Windows\CurrentVersion\RunOnce
    4. Select the following value in the right pane, press Delete, and then click Yes to confirm:

      SKA.EXE
    5. Exit the Registry Editor.

    Restart the computer
    This concludes the removal procedure. Restart the computer and verify that you can use your Web browser.


    Writeup By: Raul Elnitiarta