Happy99.exe worm is in the wild

Worm is spreading quickly into North America, particularly in Silicon Valley.
Written by Bob Sullivan, Contributor
The Happy99.exe worm has spread very quickly around North America, particularly Silicon Valley, according to Dan Tanaka of Data Fellows Inc. "I now receive 20 or 30 copies of it every day," he told MSNBC.

The worm was apparently released on Usenet, and since last month there have been nearly 4,500 posts about it, many from users trying to find out how to disinfect their machines.

Happy99.exe started making its way around the Internet about Jan. 20, sending hundreds of copies of itself via e-mail attachments and newsgroup postings. According to Helsinki, Finland, data security firm Data Fellows Inc., the worm does not attempt to destroy files on infected machines, but it sends e-mails and newsgroup postings without the victim's knowledge and could cause network slowdowns or even crash corporate e-mail servers.

The worm, so designated because it can replicate on its own, arrives as an e-mail or newsgroup attachment and infects only users who run the attachment.

Once they do, all victims see is a window with a fireworks display. But behind the scenes, the worm alters the host computer's winsock32.dll file, the computer's doorway to the Internet. Then, each time a user intiates e-mail or newsgroup activity, by either receiving or sending e-mail or posting to a newsgroup, Happy99 spams the newsgroup or e-mail recipient with copies of itself. Any type of activity on port 25 or 119 will trigger spam activity, according to Takata, senior software support engineer of Data Fellows.

It also keeps a list of the spammed e-mail addresses and newsgroups in a separate file called LISTE.SKA.

Patch available
Because the original version of wsock32.dll is preserved in backup form as WSOCK32.SKA, newsgroup posters say they've been able to restore their machines without much difficulty. Data Fellows has a patch that recognizes the worm.

Infected users can click here for full instructions on how to remove the worm from their systems.

It poses no risk to data, but can be more than a nuisance to network administrators.

"If you have 100 PCs and everyone is checking e-mail at 9 a.m. and this thing starts flying around, absolutely it can slow down a network," Takata said. "It can crash your e-mail server. I wouldn't be surprised if it did."

Because the e-mail header contains "MOUT-MOUT Hybrid (c) Spanska 1999." Takata speculated that the Happy99 author also wrote a series of viruses known as the spanska viruses (click here for a description). Those were first reported in September 1997 and randomly displayed political messages, such as, "Remember those who died for Madrid."

Editorial standards