|Place of Origin||France|
|File Type(s)||exe, dll*|
Happy99 is an email/newsgroup worm that also behaves in some ways like a virus and trojan. It was created by Spanska and appeared in the 4th edition of the 29A virus magazine. Although Happy99 is wild, it has no destructive payload and is, as its author describes, a "sympathetic hitchhiker who uses your internet connection to travel, and thank you for the trip with a small animation."
The worm arrives in an email or news post attachment named Happy99.exe. This attachment is 10,000 bytes long. When the user executes the worm, it displays a window of fireworks. The worm copies itself to the Windows system folder as SKA.EXE and creates SKA.DLL in that folder.
It makes a copy of WSOCK32.DLL and names it WSOCK32.SKA. The worm checks if WSOCK32.DLL is being used in memory. If it is not, Happy99 will modify WSOCK32.DLL in a way that causes SKA.EXE to run whenever WSOCK32.DLL is started. If it is in use, the worm modifies the Local Machine registry key that allows it to run once when the machine is started. This is likely in the hope that WSOCK32.DLL will not be in use the second the machine starts.
Happy99 modifies WSOCK32.DLL so that when its "connect" or "send" APIs are called, it loads SKA.DLL. SKA.DLL contains "news" and "mail", two functions that cause the worm send itself to any email (if the email client suports SMTP) or newsgroup postings the user sends.
Every time an email or newspost is sent, the worm sends a second email or newspost. The sender address will be that of the actual sender.
Lacking any destructve payload, Happy99 is not likely to ever cause any damage. In a debate on alt.comp.virus, Spanska speculated that between 9,000 and 15,000 computers had been infected with the worm.
The worm contains the hidden text string: "Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999." The worm is available in source code and binary format from the 4th issue of 29A.
Happy99's status as a worm, virus or trojan was a subject of some debate. Some cited the fact that the user had to activate the worm as evidence that it is a trojan. Others note its modification of WSOCK32.DLL as evidence that it is a virus. The Virus Encyclopedia classifies it as a worm, because it is an independent program that moves through computers and networks. This encyclopedia does not view it as a trojan because regardless of how it is activated, it ends up moving to another system without anyone intending for it to specifically go there. While it does modify WSOCK32.DLL, the modification does not produce a DLL infector on that file that can then infect other DLL files, and therefore it also fails to meet the definition of a virus.
Spanska. 29A 4th Issue, Happy99 Source code (I-Worm.Happy). 2000.01
Peter Szor, "Happy Gets Lucky?"
Robert Moir. robertmoir.co.uk, A Beginner's guide to viruses
Antivirus Page, "Ska Virus"
Raul Elnitiarta. Symantec.com, "Happy99.Worm".
McAfee Antivirus, W32/Ska@M
F-Secure Antivirus, F-Secure Virus Descriptions : Ska