RIS Happy99.exe removal instructions

Removing the Happy99 Internet Worm

Happy99 is actually an Internet "worm" not a virus. Its purpose for being is to replicate and send itself to the people you send mail to. In this way, it "worms" its way through the Internet. So far, Happy99 has not been found to cause any actual damage..

For information on Happy99 from Symantec (the makers of Norton AntiVirus) visit the Symantec AntiVirus Research Center. Symantec has also developed a small program to automatically complete the removal process detailed below. This program may be downloaded from the Symantec site at: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/fixhappy.exe

The nasty details:

You receive Happy99 as an attachment to an email. When you run this attachment, you see an animated picture like the one to the left.

While the fireworks are shooting off, Happy99 is installing itself on your computer.
The following changes are made to your computer:

the files "ska.exe" and "ska.dll" are added to the C:\windows\system folder
the existing wsock32.dll file is renamed to wsock32.ska, and Happy99 copies it's own wsock32.dll file into C:\windows\system folder.

If Happy99 cannot change the existing wsock32.dll file (because it is being used) it tells Windows to make the changes the next time you restart your computer.

When you send an email, Happy99 identifies who you are sending to, then makes a copy of itself and sends the copy to that address. The email will have your name as the sender, and the same subject as the message you just sent. Happy99 will only send itself to each email address once (from your computer.) Happy99 will also send itself to any newsgroups you post to. Happy99 maintains a list of who it sends to in the file "liste.ska".

How to find out if you have Happy99 (in Windows 95 or 98)

First, open My Computer. Click on the View menu at the top of the window, then click Options or Folder Options. Click on the View tab at the top of the window. In the list of options (Windows 95 and Windows 98 will not look the same) make sure you have "Show all files" selected, and that "Hide file extensions for known file types" is not checked. Then click OK and close My Computer.

Click Start ® Find ® Files or Folders. In the "Named" field type "ska.*" (without the quotes), make sure the "Look in:" field is set to your C: drive, and click Find Now. If two files are found ("ska.exe", or possibly just "ska", and "ska.dll") you are infected. If these files are not found, your system does not have the Happy99 worm and you do not need to follow the rest of these instructions.

If you find the files above, print this web page and follow the instructions below.

How to remove Happy99 (for Windows 95 or 98)

Click Start then Shut Down. Choose Restart/Restart the Computer and click Yes or OK.

While the computer is restarting, do the following: (This may require multiple attempts.)

For Windows 95 computers, push the F8 key as soon as you see the message "Starting Windows 95..."
For Windows 98 computers, hold down the CTRL key during the startup process.

When the Windows Startup Menu appears, choose Command Line only (usually option number 6) and push Enter.

When the command line prompt appears (e.g., C:\>) type, "cd c:\windows\system" and push Enter.

At the "C:\WINDOWS\SYSTEM>" prompt:

type "del ska.*" (without the quotes) and push Enter.
type "ren wsock32.dll wsock32.bad" (without the quotes) and push Enter.
type "ren wsock32.ska wsock32.dll" (without the quotes) and push Enter.

Push CTRL and ALT and DELETE on the keyboard at the same time to restart the computer.

When Windows has restarted, click Start ® Find ® Files or Folders. In the "Named" field type "happy99.exe" (without the quotes), make sure the "Look in:" field is set to your C: drive, and click Find Now. If any file is found with the name happy99.exe, highlight the file name and push "delete" on the keyboard. (An item can usually be highlighted by clicking on the name just once with the "left" mouse button. If you have single-click enabled, just hover the mouse pointer over the file name.) If you are asked, confirm that you want to delete this file.

Next, erase what is typed into the "Named" field of the Find Files window and type in "liste.ska" (without the quotes), then click Find Now. When this file is found, double click on the file name. When you are asked which program you would like to open the file with, choose WordPad. When the file opens, you will see a list of email addresses and newsgroups. This is a list who received the happy99.exe worm from you. I recommend you send an email to the individual email addresses letting them know they are potentially infected. Feel free to refer to this website to help them identify and remove Happy99. (The liste.ska file causes no harm to your computer or anyone else. You can print out this list and delete the file, or leave it on your computer for your reference.)

If you have any questions about the steps outlined on this page, please contact your Internet Service Provider. (Runestone Internet Services is only able to offer support to customers of our Internet Service.)

This document was last updated on Thursday, January 22, 2004, at 06:31 PM