Happy99.exe worm spreads on Net
A computer worm called Happy99.exe is making its way around the Internet, sending hundreds of copies of itself via e-mail attachments and newsgroup postings.
According to Helsinki, Finland, data security firm Data Fellows Inc., the worm is currently in the wild in Europe and will likely spread very quickly to North America. It does not attempt to destroy files on infected machines, but it sends e-mails and newsgroup postings without the victim's knowledge and could cause network slowdowns or even crash corporate e-mail servers.
The worm, so-called because it can replicate on its own, first surfaced a little over a week ago, and since then, hundreds of newsgroup posters have complained about the annoyance.
Like most computer pests, it arrives as an e-mail or newsgroup attachment and infects only users who run the attachment.
Once they do, all victims see is a window with a fireworks display. But behind the scenes, the worm alters the host computer's winsock32.dll file, the computer's doorway to the Internet. Then, each time a user intiates e-mail or newsgroup activity, by either receiving or sending e-mail or posting to a newsgroup, Happy99 spams the newsgroup or e-mail recipient with copies of itself. Any type of activity on port 25 or 119 will trigger spam activity, according to Dan Takata, senior software support engineer of Data Fellows.
It also keeps a list of the spammed e-mail addresses and newsgroups in a separate file called LISTE.SKA.
Patch available
Because the original version of winsock32.dll is preserved in backup form as WSOCK32.SKA, newsgroup posters say they've been able to restore their machines without much difficulty. Data Fellows has a patch that recognizes the worm.
It poses no risk to data, but can be more than a nuisance to network administrators.
"If you have 100 PCs and everyone is checking e-mail at 9 a.m. and this thing starts flying around, absolutely it can slow down a network," Takata said. "It can crash your e-mail server. I wouldn't be surprised if it did."
Because the e-mail header contains "MOUT-MOUT Hybrid (c) Spanska 1999." Takata speculated that the Happy99 author also wrote a series of viruses known as the spanska viruses (click here for a description). Those were first reported in September 1997 and randomly displayed political messages, such as, "Remember those who died for Madrid."