Forum Archive Index - October 1999

["John Redgrave" <jpredgrave@hotmail.com>]

I have copied this from the net incase it helps anyone...  Don't know if it 
works becuase I didn't open the happy99 file.  Believe it would because I 
trust the source.

http://www.zeuter.com/~tburden/happy99.htm



The Happy99.exe E-Mail Trojan


What It Is and What to Do About It

--------------------------------------------------------------------------------


What is the happy99.exe Trojan?

You may have seen an attachment to some e-mail you have received that is 
called happy99.exe. If you were one of the unlucky people that tried to open 
this attachment and run it, you may have seen a beautiful fireworks display. 
You may have been so impressed that you forwarded the attachment to your 
friends. Your e-mail would still be working fine and all your internet 
services would seem normal...until the next time you rebooted your computer: 
then the trouble would begin. The happy99.exe program contains what is 
referred to as a ska trojan, which directs your computer to do certain 
sneaky things behind your back. For example, it sends a copy of the 
happy99.exe program to all the people you correspond with...entirely without 
your knowledge! And that's not all...it can stop your e-mail and internet 
services from functioning properly and can even shut down your e-mail 
program entirely. Perhaps worst of all, it can be a source of embarrassment 
for you at your work or among your friends.

Technically, happy99 is not a virus but a trojan, as it cannot 
self-replicate, and requires YOUR HELP to become effective. The program 
cannot boot itself and can only run if YOU run it.

Who can catch this 'virus'?

ONLY people running the 32-bit versions of Windows are subject to this 
trojan. This is because the program needs to find and overwrite the 32-bit 
winsock (wsock32.dll) to do its thing. That means users of Mac, Linux, Unix, 
and Windows 3.x are not at risk: only Windows 95/98 users need worry about 
it.
Furthermore, only people who actually run the happy99.exe program will 
experience any problem. You cannot catch this virus just by receiving 
infected e-mail. You HAVE to run the program.

How can I avoid happy99.exe?

As a general precaution, you should NEVER run an .exe attachment to e-mail, 
regardless of its source, unless you KNOW EXACTLY what it is and what it 
will do. Make sure that the person sending you the e-mail is aware of the 
attachment and has told you what it will do. This does not apply to attached 
files of other types, such as .jpg or .txt files. You cannot catch a virus 
from any other type of file than an .exe file (or a .zip file, if this 
contains .exe files :)
Never run the happy99.exe file attachment. Discard the mail as soon as you 
receive it, just in case another member of your workgroup or your family 
finds the file and tries to run it!

I've seen the fireworks...what do I do now?

Ok, so you've run the program and you've seen the fireworks. Or you've 
gotten a nasty e-mail from a colleague or friend informing you that you 
infected them with a nasty virus. Don't panic! The fix is actually fairly 
simple.

The first thing you need to do is make sure you are infected. This is easy: 
just use Windows' handy Find function on the Start menu. Search your hard 
drive (usually drive c: make sure c: appears in the Look In box) and search 
for ska. If you are infected, the following files will show up:
ska.exe
ska.dll
wsock32.ska
and perhaps
liste.ska
If you have these files, you might be tempted to delete them. DO NOT! The 
wsock32.ska file is actually the good version of your wsock32.dll, and the 
wsock32.dll on your system is infected with bad instructions.
Basically, we are going to overwrite the bad wsock32.dll with the good 
wsock32.ska and then we are going to rename wsock32.ska to wsock32.dll so 
that your internet tools can use it again. While we're at it we'll delete 
ska.exe and ska.dll. You can try to do this in Windows, but if you are using 
Win95 with integrated Explorer, or any version of Win98, you'll find the 
computer won't let you mess with the wsock32.dll file. It wouldn't let 
happy99 fool with that file either...that's why happy99 had to wait until 
you rebooted your computer to do its dirty job. Anyway we are going to have 
to do our fixing in MS-DOS mode.
To get into MS-DOS mode, go to Start, Shut Down, then click Restart in 
MS-DOS Mode, then hit "yes" or "OK".
Now you should see C:\WINDOWS. You need to type the following commands 
EXACTLY as written. Where you see [enter], that means hit the 'enter' or 
'return' key.
Type
cd system [enter]
Now you should see C:\WINDOWS\SYSTEM
Type
attrib -h wsock32.dll [enter]
attrib -r wsock32.dll [enter]
copy wsock32.ska wsock32.dll [enter]
Type 'y' for 'yes' when it asks you if you really want to overwrite 
wsock32.dll. You really do.
Now type
ren wsock32.ska wsock32.dll [enter]
If the system won't let you do this, type
del wsock32.dll [enter]
ren wsock32.ska wsock32.dll [enter]
Now for the finishing flourish:
del ska.exe [enter]
del ska.dll [enter]
Congratulations...you are trojan-free again.
Now type exit. If the computer does not automatically restart in windows, 
restart it manually.
Try sending yourself an e-mail, to test that everything is working. Check 
whether you have sent yourself the happy99.exe attachment, while you're at 
it. If you did everything right, you didn't.
One last thing. Use Windows Find again to search for liste.ska . When you 
find it, double-click on it to open it. You will see a list of all the 
people you accidentally sent the happy99.exe attachment to. You might want 
to get in touch with them and warn them not to open that attachment. If they 
did already, direct them to this page. If they did not, but they are mad at 
you anyway, reassure them that you are now clean and safe and that they have 
nothing to fear from your e-mail.
These instructions didn't work...now what?

If you have any trouble with these instructions, feel free to e-mail us at 
help@zeuter.com...assuming your e-mail still works. Keep in mind that these 
instructions are advice only and Zeuter does not accept any responsibility 
for any damage or loss that may occur as you carry out these procedures, and 
nor does Zeuter explicitly or implicitly guarantee the results of these 
procedures.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

--------------------------------------------------------------------------
To remove yourself from this list, email sharechat-request@sharechat.co.nz
with "unsubscribe" in the body of the message, or use the unsubscription
form at http://www.sharechat.co.nz/forum.html.