Help! e-mail virus! : LUSENET : TimeBomb 2000 (Y2000) : One Thread

I know this is off subject, but I don't know who to ask about a virus that has appeared in my internet mail. It is a file "happy99" that displays fireworks upon opening. The problem is that it somehow deletes my message I send to someone, and inserts this file. The person getting the email only gets the file, and then infects their computer when they open it. It sends the "happy99" file only once to a person, but it sends it to any different email address I send mail to. How do I get rid of this thing? One person I infected with this virus, has a virus guard program on their computer, which did not stop it. Help!

-- mark (don', February 16, 1999


Yep, see the following link:


-- Arnie Rimmer (, February 16, 1999.

From Symantec:

Happy99.Worm VirusName: Happy99.Worm Aliases: Trojan.Happy99, I-Worm.Happy Likelihood: Common Region Reported: US, Europe Keys: Trojan Horse, Worm

Description: This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce=S KA.EXE

The registry entry loads the worm the next time Windows start.

Removing the worm manually:

1.delete WINDOWS\SYSTEM\SKA.EXE 2.delete WINDOWS\SYSTEM\SKA.DLL 3.replace WINDOWS\SYSTEM\WSOCK32.DLL with WINDOWS\SYSTEM\WSOCK32.SKA 4.delete the downloaded file, usually named HAPPY99.EXE

Safe Computing:

This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (i.e. EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article from an unknown or a untrusted source.

Norton AntiVirus users can protect themselves from this worm by downloading the virus definitions updates released on Jan 28, 1999 or later either through LiveUpdate or from the following webpage:

Write-up by: Raul K. Elnitiarta January 28, 1999

-- fcd (f@c.d), February 16, 1999.

See the Computer Virus Myths page, y'all, whose author says:


28 Jan 99

I GOT SWAMPED again with email concerning MSNBC reporter Bob Sullivan's story about "Happy99.EXE." Let me remind everyone: 2.8 trillion other filenames might also contain a virus or Trojan horse. We may wind up reading an MSNBC story about each one. I can't remember 2.8 trillion filenames, so I boiled it down to just two sentences:

Beware any file sent by someone you don't know. Beware any file sent by someone you DO know.

Let me also remind everyone: computer security alerts never die ... they just get a new life-cycl


I apologize in advance, got this yesterday and couldn't (wouldn't!) resist.


I know this guy whose neighbor, a young man, was home recovering from having been served a rat in his bucket of Kentucky Fried Chicken. So anyway, one day he went to sleep and when he awoke he was in his bathtub and it was full of ice and he was sore all over. When he got out of the tub he realized that HIS KIDNEYS HAD BEEN STOLEN and he saw a note on his mirror that said "Call 911!"

But he was afraid to use his phone because it was connected to his computer, and there was a virus on his computer that would destroy his hard drive if he opened an e-mail entitled "Join the crew!" He knew it wasn't a hoax because he himself was a computer programmer who was working on software to save us from Armageddon when the year 2000 rolls around.

His program will prevent a global disaster in which all the computers get together and distribute the $600 Neiman Marcus cookie recipe under the leadership of Bill Gates. (It's true-I read it all last week in a mass e-mail from BILL GATES HIMSELF, who was also promising me a free Disneyworld vacation and $5,000 if I would forward the e-mail to everyone I know.) The poor man then tried to call 911 from a pay phone to report his missing kidneys, but reaching into the coin-return slot he got jabbed with an HIV-infected needle around which was wrapped a note that said, "Welcome to the world of AIDS."

Luckily he was only a few blocks from the hospital--the one, actually, where that little boy who is dying of cancer is, the one whose last wish is for everyone in the world to send him an e-mail and the American Cancer Society has agreed to pay him a nickel for every e-mail he receives. I sent him two e-mails and one of them was a bunch of x's and o's in the shape of an angel (if you get it and forward it to twenty people you will have good luck, but if you send it to ten people you will only have ok luck, and if you send it to less than ten people you will have BAD LUCK FOR SEVEN YEARS). So anyway the poor guy tried to drive himself to the hospital, but on the way he noticed another car driving along without his lights on.

To be helpful, he flashed his lights at him and was promptly shot as part of a gang initiation. And it's a little-known fact that the Y2K problem caused the Dark Ages.

-- Old Git (, February 16, 1999.


-- Bobbi (, February 16, 1999.

ROFL Old Git!! This is the funniest "telephone game" I have ever seen. Isn't the internet wonderful? ;-)

-- Chris (, February 16, 1999.

Moderation questions? read the FAQ