[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

uninstalling Happy99 (was: installation problem)

Subject: uninstalling Happy99 (was: installation problem)
From: Peter Evans peterev@xxxxxxxx
Date: Sun, 21 Mar 1999 13:12:54 +0900

Yo! International:

>Now what? A uuencoded virus on the XY list? And I thought I had
>seen it all.

Well (inhale, cough), if he chooses to define "virus" to include "trojan"*,
he's right.

 *The species of software, not the record
  label or condom.

An acquaintance (Steven Ayres) wrote the following about this phenomenon to
another list:

>The Happy99 thing is real, though not particularly serious. . . .
>A couple of important aspects of it want pointing out: first it's
>a Trojan horse -- the cute little graphic program celebrating the
>new year covers a worm that crawls up inside all sorts of Windows
>facilities; second, it replicates itself by piggybacking on E-mail,
>and the victim is completely unaware that it's going out. So don't
>get pissed off at the person whose name it came in under.

And later:

>The infected list I spoke about earlier got this procedure for
>cleaning it out. If you get Happy99.exe as an attachment, *don't
>run the program*. Simply delete it and you'll be fine. If you
>happen to run it, *don't send any E-mail* until you've done the
>following. I haven't tested this procedure, since I don't
>ordinarily use GUI soft for E-mail. It seems like a very *orderly*
>little worm, making backups for you, etc.
>
>** Removal Procedure **
>
>Steps marked 'optional' are not absolutely necessary and are
>absolutely safe to skip.
>
>* Click Start, then Shut Down, then "Restart Computer in MS-DOS
>mode", then click Yes. At the DOS prompt type this exactly and
>press enter at the end of each line:
>
>CD \WINDOWS\SYSTEM
>
>If your Windows folder is not called WINDOWS then substitute the
>name of your Windows folder instead, for example:
>
>CD \WIN95\SYSTEM
>
>* Delete SKA.EXE and, SKA.DLL by typing
>
>DEL SKA.EXE
>DEL SKA.DLL
>
>If you get "File not found," you're either not infected or in
>the wrong directory. Make sure you're in your Windows System
>directory; check to see if you followed step 2 exactly.
>
>* Copy WSOCK32.SKA to WSOCK32.DLL by typing
>
>COPY WSOCK32.SKA WSOCK32.DLL
>
>Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.
>Explanation: WSOCK32.SKA is a backup of the original
>WSOCK32.DLL made by the virus. You are replacing the modified
>DLL with the original.
>
>* Optional: Delete WSOCK32.SKA by typing
>
>DEL WSOCK32.SKA
>
>You can leave WSOCK32.SKA on your system. It is a copy of your
>original WSOCK32.DLL
>
>* Return to Windows by typing
>EXIT
>
>* Optional: Click Start, then Run, then type
>
>REGEDIT
>
>in the text box, then click OK. Click HKEY_LOCAL_MACHINE,
>then Software, then Microsoft, then Windows, then
>CurrentVersion. Under RunOnce check for SKA.EXE and select
>it if it is there. Press delete and then click Yes. Close
>Regedit. Don't change anything else without making a backup
>of the registry first. If you don't find SKA.EXE in the
>registry, it doesn't mean you're not infected. SKA.EXE is
>only added to the registry if HAPPY99.EXE is unable to
>modify WSOCK32.DLL when you run it.
>
>* Optional: Choose Start, Programs, Accessories, Notepad,
>choose File, then Open then type
>
>C:\WINDOWS\SYSTEM\LISTE.SKA
>
>in the File Name box. Warn the people on the list, then
>delete LISTE.SKA
>
>****

Prev by Date: DON'T EXECUTE HAPPY99.EXE
Next by Date: RE: SmartWords
Previous by thread: RE: Unicomp Keyboard with left function keys
Next by thread: unintended absence
Index(es):
- Date
- Subject