_________________________________________________________________________

 Happy99.exe Explained ---By Ankit Fadia <ankit@bol.net.in>
_________________________________________________________________________


Have you gotten a mail from someone with a file "happy99.exe" as an
attachment? And did you run it to see a wonderful display of colorful
fireworks? Well then your system is infected by the happy99 worm.Any you
are unknowingly passing on infection to all people you are sending an
email to.
How do I know that my system is infected?
When Happy99 first hit the Internet not many virus scanners could detect
this virus and one had to remove the worm manually from the system.Now
the scene has changed, almost a year after the worm had first hit the
net almost all scanners detect it's presence and remove it immediately.
But we are hackers, we do not need any anti virus to remove a worm,  we
will manually remove it.

Happy99.exe the working:
Now when you get an email with happy99.exe attached your system will NOT
get infected by just reading the mail you will have to run the exe file
to infect your system.When you run the attachment you will be shown a
colourful display of fireworks on the screen.While you are enjoying the
fireworks display the worm in the background replaces your winsock32.dll
file with one of it's own. As a result whenever you send someone an
email the worm is send to the recipients as an attachment.
Am I infected?
Goto MSDOS and type:
c:\windows>cd system
c:\windows\system>dir ska*
If you see ska.exe and ska.dll listed then you can be sure that you are
infected.you can also type the following:

c:\windows>dir wsock*

If you infected then it will list wsock32.dll and wsock32.ska.

Ok I am infected How Do I clean my system?

To remove the worm, restart in the MSDOS mode.Then goto the
windows/system directory by typing
c:\windows>cd system

then Delete ska.exe and ska.dll by typing:

c:\windows\system>del ska*

then delete wsock32.dll by typing:

c:\windows\system>del wsock32.dll

then rename your oringinal wsock2.dll which was renamed by the worm to
wsock32.ska back to wsock32.dll.To do so type the following at the DOS
Prompt:

c:\windows\system>ren wsock32.ska wsock32.dll

****************************
Now lets say your machine was infected 10 days ago and since then you
have sent mails to many of your friends.As your system was infected the
Happy99.exe worm was also sent to them.To view a list of people to whom
you mailed the worm view the liste.ska file in the windows\system
directory by typing:

c:\windows\system>type liste.ska

This will show a list of email addresses to whom the virus was mailed.

****************************
Ok back to de-infecting your system.Then delete the liste.ska file too
by typing:

c:\windows\system>del liste.ska

Now reboot the system to a clean machine.Next time you get an email with
the attachment Happy99.exe delete it immediately.Actually it is very
easy to rename the worm from happy99.exe to quake.exe . Basically just
remmenber the following things:
1.Your system will not be infected just by viewing an email.
2. Only files with etensions .exe .com .bat and even .dll can infect
your system.(.doc files may contain Macro Viruses.)
3. So always scan all attachments before opening them even if you trust
the peroson who sent it to you.

If you have never received such an attachment I have attached the
Happy99.exe worm.So you can open it and see it at work.I have also
attached a software which will remove the Happy99.exe and disinfect your
system.First try and remove it manually like I have described above then
remove it with the software.
***************
Techie Tip: If your machine is infected then all emails that you send
will have an extra header.
something like this
X-Spansa:Yes
will show up in the headers.To find out how to view the headers of your
mail client browse the help of your mail client.
***************
Well Bye For Now,Till then Happy Virus Hunting!!!!

For any questions contact me at:
Ankit Fadia ankit@bol.net.in

Join My mailing List for more tutorials by sending an email to
programmingforhackers-subscribe@egroups.com





