W32/SKA Worm Information

Description and History of HAPPY99

HAPPY99.EXE is an internet worm known as W32/Ska. Detection is available using the current .DAT files for VirusScan. W32/Ska travels via SMTP email messages sent as a secondary message to an initial sendmail operation. W32/Ska also travels via postings to newsgroups using NNTP protocol in a similar fashion.

The original file HAPPY99.EXE was coded by a virus author known as "Spanska", known for a number of viruses that infect PE type files. HAPPY99.EXE was distributed onto newsgroup servers and other places. Users would run the file and unknown to them, it would send out copies of the worm to anyone they sent email to. It only works if the user is using an SMTP agent with their email.

If you run HAPPY99.EXE, it displays fireworks - a distraction - as it drops SKA.EXE and SKA.DLL onto the hard drive. It then makes a backup copy of the WSOCK32.DLL as WSOCK32.SKA. The file WSOCK32.DLL is then patched with 2 routines containing instructions to send HAPPY99.EXE as an attachment to emails sent via SMTP and also newsgroup postings by NNTP. Email messages and newsgroup postings containing the HAPPY99.EXE file are separate of your initial email message and post. A log file of email addresses is kept in a file "liste.ska" and is in text format.

 

Removal Instructions

A command line tool designed for Win95/Win98 systems is available to remove the worm from your system(s):

http://www.avertlabs.com/public/stand_alone/RMSKA.ZIP

It performs the necessary steps of renaming and removing files that are listed in the manual steps below:

CD C:\WINDOWS\SYSTEM

COPY WSOCK32.SKA WSOCK32.DLL /y

DEL SKA.???

MOVE LISTE.SKA C:\WINDOWS\DESKTOP\SKALIST.TXT

EXIT

As a final cleanup, the worm also creates the registry entry that can either be ignored or corrected. The registry entry is in this location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Ska.exe="Ska.exe"

The tool RMSKA.EXE will remove this registry entry for you.