It will create two files in the Windows System folder, SKA.EXE and SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will make a backup of WSOCK32.DLL under the name of WSOCK32.SKA. Then it will modify WSOCK32.DLL so it will try to access SKA.DLL under certain circumstances. It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular part of Windows that provides a connnection to the Internet. If it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL will be modified next time the computer starts. The modified WSOCK32.DLL will attach HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail messages. This second copy will have the same subject and recipient, but it will have an empty body. This virus will keep a list of message recipients in the file LISTE.SKA in the Windows System folder.
In my tests(sending an e-mail to myself:) this virus attached itself to a second copy of the e-mail message, with no problems and a barely noticeable delay. The outgoing message contains the header
X-Spanska: Yesbut this is normally not visible.
This virus does not steal passwords, as some sources have reported. It does not contain any payload other than the fireworks display. However, it could overload an e-mail server if a lot of copies get passed around. Also, since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the modified WSOCK32.DLL cannot perform any viral action. However using a modified WSOCK32.DLL could cause problems while on the Internet. Restoring the original WSOCK32.DLL will correct these problems.
This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV. However, someone using one of those could pass it along manually, for example by forwarding the message. I don't have a Windows NT machine to test it on, but I have reports that it will create SKA.EXE and SKA.DLL, but will fail to add itself to the registry or modify WSOCK32.DLL.
Some people have asked whether it is always called HAPPY99.EXE. This virus doesn't contain any code to change the name. However, it would be simple for a person to change it to anything they like.
It contains the encrypted text:
"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."
CD \WINDOWS\SYSTEMIf your Windows folder is not called WINDOWS then substitute the name of your Windows folder instead, for example:
CD \WIN95\SYSTEM
DEL SKA.EXE DEL SKA.DLLIf you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.
COPY WSOCK32.SKA WSOCK32.DLLAnswer "Yes" if it asks if you want to overwrite WSOCK32.DLL. Explanation: WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the virus. You are replacing the modified DLL with the original.
DEL WSOCK32.SKAYou can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with WSOCK32.SKA.
EXIT