Happy99 is a Win32 based Trojan program. When this program is executed it
will display some fireworks. Apart from
the fireworks display this program will do some other activity in the
background without the user's permission. In the
background this program will create two files SKA.EXE and SKA.DLL. It will
alter WSOCK32.DLL to put its code
into that file and keep the original file as WSOCK32.SKA. It can not
modify the WSOCK32.DLL file if it is in use. In
such a case this program will add an entry to the Windows Registry to run
SKA.EXE the next time the computer is
booted so that it can do these modifications. The size of this trojan file
is 10000 bytes.
You will not get infected by Happy99 merely by downloading the trojan
file. You will have to execute it to
get infected.
The modified WSOCK32.DLL has routines to detect the email and newsgroup
postings made by the user. It will send a
copy of the SKA.EXE file renamed as happy99.exe to every user or newsgroup
to whom the user has sends an email.
Each recipient will get the email only once and the trojan will not send
repeat email to the same user. It will send a
separate email retaining the subject of the first email with the file as
an attachment. The trojan also maintains the file
LISTE.SKA which contains the list of all email addresses and newsgroups to
which this file has been sent. The unique
function of this trojan is that it can spread on its own.
Happy99 first apeared in January 1999 and it is reported to have affected
a lot of users."
==================================================
Steve Meeker wrote:
> Name: Happy99.exe
> Happy99.exe Type: unspecified type (application/octet-stream)
> Encoding: x-uuencode
>
> -------------------------------------------------------------
> To leave this list, email <listserver@dallastexas.net>
> with the body text: leave Keelynet
> list archives and on line subscription forms are at
> http://dallastexas.net/keelynet/
> -------------------------------------------------------------