The Happy99.Worm can be received as an email attachment or from newsgroup postings. The attachment is usually named Happy99.exe.
When executed, the worm opens a window titled "Happy New Year 1999 !!" and shows a fireworks display to disguise its installation. The worm sends itself to other users when the infected computer is online.
In addition, the worm does the following:
- Copies itself as Ska.exe
- Extracts Ska.dll to C:\Windows\System
- Modifies the Wsock32.dll file in C:\Windows\System by copying the existing Wsock32.dll to Wsock32.ska
- The Wsock32.dll file enables Internet connectivity in Windows 95/98. This modification to the Wsock32.dll file enables the worm to run when it detects connect or send activity in the Wsock32.dll file. When such online activity occurs, the modified Wsock32.dll code does the following:
- Wsock32.dll loads Ska.dll into memory.
- Ska.dll creates a new email or article and inserts an encoded copy of Happy99.exe as an attachment.
- It then sends or posts the message.
- If the Wsock32.dll file is in use when the worm tries to modify it, such as when a user is online, then the worm adds string value SKA.EXE to the following registry key:
This causes the worm to load the next time Windows starts.
- The worm keeps a list of addresses that have been sent infected emails in the Liste.ska file.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":