NOTE: This warning is the exception to the rule.  Do not follow this as and
example and start sending virus warnings to the forum.  This type of message is
OFF TOPIC in the forum, unless posted by the Forum Manager.

I've recently received several emails from various people containing an attached
file named HAPPY99.EXE. Some of these were from Forum members.  Some were
addressed to the Forum, but they were blocked by our automatic screening
program.

The HAPPY99.EXE program is a WORM.  See below for more information about what
that means.  If you receive a message with that file attached don't execute it -
delete it immediately.
_______________________

VirusName: Happy99.Worm
Aliases: Trojan.Happy99, I-Worm.Happy

Description:
This is a worm program, NOT a virus. This program has reportedly been received
through email spamming and USENET newsgroup posting. The file is usually named
HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New Year
1999 !!" showing a firework display to disguise its other actions. The program
copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into
WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM
directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification
to WSOCK32.DLL allows the worm routine to be triggered when a connect or send
activity is detected. When such online activity occurs, the modified code loads
the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with
UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this
email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is
online), the worm adds a registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start. Removing the worm
manually:

 1. delete WINDOWS\SYSTEM\SKA.EXE 
 2. delete WINDOWS\SYSTEM\SKA.DLL 
 3. replace WINDOWS\SYSTEM\WSOCK32.DLL with
    WINDOWS\SYSTEM\WSOCK32.SKA 
 4. delete the downloaded file, usually named HAPPY99.EXE 

Safe Computing:
This worm and other trojan-horse type programs demonstrate the need to practice
safe computing. One should not execute any executable-file attachment (i.e. EXE,
SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article
From an unknown or a untrusted source.

Norton AntiVirus users can protect themselves from this worm by downloading the
virus definitions updates released on Jan 28, 1999 or later either through
LiveUpdate or from the following webpage:
http://www.symantec.com/avcenter/download.html

Write-up by: Raul K. Elnitiarta - January 28, 1999
___________________

For more information regarding viruses see the following sites.

http://www.mcafee.com/
http://www.symantec.com/avcenter
http://www.symantec.com/avcenter/venc/data/happy99.worm.html
http://www.earthlink.net/daily/tuesday/macroviruses
http://www.cyberramp.net/hoax.htm

Unsolicited, unexplained attachments are unacceptable! 

"... you CAN get a virus by reading an attachment in an email message, such as
an MS Word or Excel document, which is infected by a macro virus. You can also
get a virus by running an executable program (such as *.exe , *.com or *.bat)
someone e-mails you as an attachment." -- SOURCE:
http://www.cyberramp.net/hoax.htm 

+ *********************************************************************** +
| Steven J. Coker                                         [email protected] |
| SCRoots Forum Manager                                 [email protected] |
| Coker Forum Manager                                 [email protected] |
| DuBose Forum Manager                               [email protected] |
| Post Office Box 359                               [email protected] |
| Charleston, SC 29402                             [email protected] |
| ***************************** - NOTICE - ****************************** |
| Unsolicited commercial messages, chain letters, pornography, and other  |
| junk email (i.e. SPAM) are not welcome.  Do not send SPAM to me or the  |
| Forums listed above. Each SPAM email will be investigated, the incident |
| will be reported, and the sender's access blocked.  There will be       |
| a $100 handling fee charged for the processing of each SPAM message.    |
+ *********************************************************************** +

==== SCROOTS Mailing List ====