The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>Happy99.exe Trojan Horse</h2> Monday, March 29, 1999<p> <h3>Overview</h3> <p>Around January 20, 1999, we began receiving reports of a Trojan horse program named Happy99.exe. Anti-virus vendors have given this program the following names: SKA, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA, Trojan.Happy99, Win32/SKA, and Happy99.Worm. <h3>Description</h3> <p>The first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen and, at the same time, modifies system files. The executable affects Microsoft Windows 95/98 and NT machines by <ul> <li>copying the WSOCK32.DLL file to WSOCK32.SKA <li>modifying the WSOCK32.DLL file, which is used for Internet connectivity <li>creating files called SKA.EXE and SKA.DLL in the system directory <li>creating an entry in the registry to start SKA.EXE </li></li></li></li></ul> <p>Once Happy99 is installed, every email and Usenet posting sent by an affected user triggers Happy99 to send a followup message containing Happy99.exe as a uuencoded attachment. Happy99 keeps track of who received the Trojan horse message in a file called LISTE.SKA in the system folder. Note that messages containing the Trojan horse will generally appear to come from someone you know. <h3>Solutions</h3> <p>You can prevent the spread of the Happy99 by setting the WSOCK32.DLL file attributes to "read only". <p>Most virus scanning tools will detect and clean Happy99 from a system. Happy99 can be manually removed from affected systems. You can find the steps for this procedure at the following site: <p> <dt><dd><a href="http://www.symantec.com/avcenter/venc/data/happy99.worm.html"> http://www.symantec.com/avcenter/venc/data/happy99.worm.html</a></dd></dt> <p> To detect and remove current viruses, you must update your scanning tools with the latest virus signatures or definitions. We also recommend you contact all of the people listed in the LISTE.SKA file. This file lists of other people that may have received the Happy99 Trojan horse from you. <p>It is important to take great caution with any email or Usenet attachments that contain executable content. If attachments are in a message, we recommend that you save the file to the local drive and scan the file with a virus scanning product before you open or run the file. Be aware that this is not a guarantee that the contents of the file are safe, but it will check for viruses and Trojan horses that your scanning software can detect. <h3>Not the Same as Melissa</h3> <p> Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus. Further information about the Melissa Word macro virus can be found at the following site: <p> <dt><dd><a href="http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html"> http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html</a></dd></dt> <p> <table border="" cellpadding="5" cellspacing="0"> <caption align="top"><b>Happy99 vs. Melissa Word Macro Virus</b></caption> <tr> <td colspan="1" rowspan="2</td"> </td></tr> <tr> <th>Happy 99</th> <th>Melissa</th> </tr> <tr align="center"> <th>How does it propagate?</th> <td>email or Usenet attachment</td> <td>email or Usenet attachment</td> </tr> <tr align="center"> <th>Where does it reside?</th> <td>Modified WSOCK32.DLL</td> <td>Macro in Microsoft Word documents</td> </tr> <tr align="center"> <th>Who is it sent to?</th> <td>The recipients of the last message you sent out that are not in the LISTE.SKA file</td> <td>First 50 entries in each address book</td> </tr> </table> <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1999 Carnegie Mellon University.</p> </p></p></p></p></p></p></p></p></p></p></p></p> |