HAPPY99 travels on its on course and does not propogate as a virus on the host machine, other than to send itself to others.

The original file HAPPY99.EXE was coded by a virus author known as "Spanska", known for a number of viruses that infect PE type files. HAPPY99.EXE was distributed onto newsgroup servers and other places. Users would run the file and unknown to them, it would send out copies of the worm to anyone they sent email to. It only works if the user is using an SMTP agent with their email.

When you run HAPPY99.EXE, it displays fireworks - a distraction - as it drops SKA.EXE and SKA.DLL onto the hard drive. It then makes a backup copy of the WSOCK32.DLL as WSOCK32.SKA. SKA.EXE hooks calls to SMTP mail and also newsgroup posting by NNTP protocol. By hooking these calls, SKA.EXE can send itself again as HAPPY99.EXE as an attachment to emails and posting to newsgroups.

Also HAPPY99 (W32/Ska) keeps a log of emails sent to users in a file called "liste.ska".

• Boot to MS-DOS (WSOCK32.DLL cannot be changed under Windows)
• REName WSOCK32.DLL to WSOCK32.BAD (or delete it)
• REName WSOCK32.SKA to WSOCK32.DLL
• DELete SKA.EXE, SKA.DLL, LISTE.SKA

  The above is sufficient to stop the worm from working.

• Restart Windows

The worm also creates the registry entry
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.exe="Ska.exe
Using REGEDIT, you can delete this entry. If you don't, Windows will ignore it.