Home | What's New | FAQ | Site Contents | Contact Us | SEARCH |
About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education |
CERT® Incident Note IN-99-02The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.Happy99.exe Trojan HorseMonday, March 29, 1999
OverviewAround January 20, 1999, we began receiving reports of a Trojan horse program named Happy99.exe. Anti-virus vendors have given this program the following names: SKA, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA, Trojan.Happy99, Win32/SKA, and Happy99.Worm. DescriptionThe first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen and, at the same time, modifies system files. The executable affects Microsoft Windows 95/98 and NT machines by
Once Happy99 is installed, every email and Usenet posting sent by an affected user triggers Happy99 to send a followup message containing Happy99.exe as a uuencoded attachment. Happy99 keeps track of who received the Trojan horse message in a file called LISTE.SKA in the system folder. Note that messages containing the Trojan horse will generally appear to come from someone you know. SolutionsYou can prevent the spread of the Happy99 by setting the WSOCK32.DLL file attributes to "read only". Most virus scanning tools will detect and clean Happy99 from a system. Happy99 can be manually removed from affected systems. You can find the steps for this procedure at the following site:
To detect and remove current viruses, you must update your scanning tools with the latest virus signatures or definitions. We also recommend you contact all of the people listed in the LISTE.SKA file. This file lists of other people that may have received the Happy99 Trojan horse from you. It is important to take great caution with any email or Usenet attachments that contain executable content. If attachments are in a message, we recommend that you save the file to the local drive and scan the file with a virus scanning product before you open or run the file. Be aware that this is not a guarantee that the contents of the file are safe, but it will check for viruses and Trojan horses that your scanning software can detect. Not the Same as MelissaHappy99 is not a macro virus and should not be confused with the Melissa Word macro virus. Further information about the Melissa Word macro virus can be found at the following site:
This document is available from: http://www.cert.org/incident_notes/IN-99-02.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address:
Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information.
Getting security informationCERT publications and other security information are available from our web siteTo subscribe to the CERT mailing list for advisories and bulletins, send email to [email protected]. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Conditions for use, disclaimers, and sponsorship information
Copyright 1999 Carnegie Mellon University. |