_________________________________________________________________________ Happy99.exe Explained ---By Ankit Fadia _________________________________________________________________________ http://blacksun.box.sk Have you gotten a mail from someone with a file "happy99.exe" as an attachment? And did you run it to see a wonderful display of colorful fireworks? Well then your system is infected by the happy99 worm.Any you are unknowingly passing on infection to all people you are sending an email to. How do I know that my system is infected? When Happy99 first hit the Internet not many virus scanners could detect this virus and one had to remove the worm manually from the system.Now the scene has changed, almost a year after the worm had first hit the net almost all scanners detect it's presence and remove it immediately. But we are hackers, we do not need any anti virus to remove a worm, we will manually remove it. Happy99.exe the working: Now when you get an email with happy99.exe attached your system will NOT get infected by just reading the mail you will have to run the exe file to infect your system.When you run the attachment you will be shown a colourful display of fireworks on the screen.While you are enjoying the fireworks display the worm in the background replaces your winsock32.dll file with one of it's own. As a result whenever you send someone an email the worm is send to the recipients as an attachment. Am I infected? Goto MSDOS and type: c:\windows>cd system c:\windows\system>dir ska* If you see ska.exe and ska.dll listed then you can be sure that you are infected.you can also type the following: c:\windows>dir wsock* If you infected then it will list wsock32.dll and wsock32.ska. Ok I am infected How Do I clean my system? To remove the worm, restart in the MSDOS mode.Then goto the windows/system directory by typing c:\windows>cd system then Delete ska.exe and ska.dll by typing: c:\windows\system>del ska* then delete wsock32.dll by typing: c:\windows\system>del wsock32.dll then rename your oringinal wsock2.dll which was renamed by the worm to wsock32.ska back to wsock32.dll.To do so type the following at the DOS Prompt: c:\windows\system>ren wsock32.ska wsock32.dll **************************** Now lets say your machine was infected 10 days ago and since then you have sent mails to many of your friends.As your system was infected the Happy99.exe worm was also sent to them.To view a list of people to whom you mailed the worm view the liste.ska file in the windows\system directory by typing: c:\windows\system>type liste.ska This will show a list of email addresses to whom the virus was mailed. **************************** Ok back to de-infecting your system.Then delete the liste.ska file too by typing: c:\windows\system>del liste.ska Now reboot the system to a clean machine.Next time you get an email with the attachment Happy99.exe delete it immediately.Actually it is very easy to rename the worm from happy99.exe to quake.exe . Basically just remmenber the following things: 1.Your system will not be infected just by viewing an email. 2. Only files with etensions .exe .com .bat and even .dll can infect your system.(.doc files may contain Macro Viruses.) 3. So always scan all attachments before opening them even if you trust the peroson who sent it to you. If you have never received such an attachment I have attached the Happy99.exe worm.So you can open it and see it at work.I have also attached a software which will remove the Happy99.exe and disinfect your system.First try and remove it manually like I have described above then remove it with the software. *************** Techie Tip: If your machine is infected then all emails that you send will have an extra header. something like this X-Spansa:Yes will show up in the headers.To find out how to view the headers of your mail client browse the help of your mail client. *************** Well Bye For Now,Till then Happy Virus Hunting!!!! For any questions contact me at: Ankit Fadia ankit@bol.net.in Join My mailing List for more tutorials by sending an email to programmingforhackers-subscribe@egroups.com Published on Black Sun Research Facility - http://blacksun.box.sk