The CERT/CC is
    part of the Software Engineering Institute at Carnegie Mellon University Improving Security
CERT® Coordination Center

 Home | What's New | FAQ | Site Contents | Contact Us | SEARCH

About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education


CERT® Incident Note IN-99-02

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Happy99.exe Trojan Horse

Monday, March 29, 1999

Overview

Around January 20, 1999, we began receiving reports of a Trojan horse program named Happy99.exe. Anti-virus vendors have given this program the following names: SKA, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA, Trojan.Happy99, Win32/SKA, and Happy99.Worm.

Description

The first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen and, at the same time, modifies system files. The executable affects Microsoft Windows 95/98 and NT machines by

  • copying the WSOCK32.DLL file to WSOCK32.SKA
  • modifying the WSOCK32.DLL file, which is used for Internet connectivity
  • creating files called SKA.EXE and SKA.DLL in the system directory
  • creating an entry in the registry to start SKA.EXE

Once Happy99 is installed, every email and Usenet posting sent by an affected user triggers Happy99 to send a followup message containing Happy99.exe as a uuencoded attachment. Happy99 keeps track of who received the Trojan horse message in a file called LISTE.SKA in the system folder. Note that messages containing the Trojan horse will generally appear to come from someone you know.

Solutions

You can prevent the spread of the Happy99 by setting the WSOCK32.DLL file attributes to "read only".

Most virus scanning tools will detect and clean Happy99 from a system. Happy99 can be manually removed from affected systems. You can find the steps for this procedure at the following site:

http://www.symantec.com/avcenter/venc/data/happy99.worm.html

To detect and remove current viruses, you must update your scanning tools with the latest virus signatures or definitions. We also recommend you contact all of the people listed in the LISTE.SKA file. This file lists of other people that may have received the Happy99 Trojan horse from you.

It is important to take great caution with any email or Usenet attachments that contain executable content. If attachments are in a message, we recommend that you save the file to the local drive and scan the file with a virus scanning product before you open or run the file. Be aware that this is not a guarantee that the contents of the file are safe, but it will check for viruses and Trojan horses that your scanning software can detect.

Not the Same as Melissa

Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus. Further information about the Melissa Word macro virus can be found at the following site:

http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

Happy99 vs. Melissa Word Macro Virus
Happy 99 Melissa
How does it propagate? email or Usenet attachment email or Usenet attachment
Where does it reside? Modified WSOCK32.DLL Macro in Microsoft Word documents
Who is it sent to? The recipients of the last message you sent out that are not in the LISTE.SKA file First 50 entries in each address book


This document is available from: http://www.cert.org/incident_notes/IN-99-02.html

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to [email protected]. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information

Copyright 1999 Carnegie Mellon University.