Support |
The instructions were posted by Jeff Duke on 13 February at 7:05 a.m. The instructions are good. For more information, read up on the Happy99 phenomenon at Symantec and other virus-related websites around the Internet: Symantec: http://www.symantec.com/avcenter/venc/data/happy99.worm.html Dude at Geocities: http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM These two are quite prominent. You should look up the thread a few days back on the Happy99 worm. If you know the McAffee website, they also have a large page on Happy99. MAIN THING: Do not run programs you receive via e-mail without knowing what they are. If you do get Happy99 via e-mail, DO NOT RUN IT. If you have Vortex patches worth sharing, visit: Andy's Vortex Page: http://members.aol.com/soundfnr/vortex.htm Be well. Javier Berkeley -----Original Message----- From: Tim Nelson [mailto:tcn62@ici.net] Sent: Thursday 18 February 1999 7:11 AM To: Loopers-Delight@annihilist.com Subject: HAPPY99 Diagnosis & Removal This info may be redundant, or possibly redundant, but I thought I'd pass it along. I have no idea who wrote these instructions originally, so I don't know if I trust it; suspicion, paranoia, I feel like Mulder... It might be helpful if one of you on the list who's better versed in DOS than I am could look the enclosed instructions over to confirm that I'm actually passing along good information and not just clouding the water... The thing I'm leery of is how we've been warned by other postings not to restart without taking care of the problem first, while the first thing this one tells us to do is to restart in DOS mode... So a short reply to the list from someone who would know better than I either confirming the instructions or sounding the BS alarm would be appreciated. Thanks, Tim BTW, I never saw any fireworks either, just a bunch of gibberish, and didn't see or open any attachments, and I have restarted successfully several times since the scare, so I'm pretty sure I'm all set, but would still appreciate if one of you could give the omini-domini to the removal instructions... ------------------------------------- >This one is for real. I haven't seen this e-mail, but they tend to go >>around for a long time. You may want to make a note of the name for >future >>reference. Hopefully we won't ever see it. >> >>The virus, HAPPY99.EXE can not infect your computer unless you actually >>run/execute the program! The program, happy99.exe would have come >attached >>to an EMAIL. If you double clicked on happy.exe, you would then see >>fireworks. >>If you did not get the program happy99.exe attached to an email, or you >>didn't execute the program if you did receive it, then you are NOT infected >>with the virus!! >>If you did execute the program, you have the virus and are passing it along >>to others! >>Here are instructions for removing this virus: >>Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then >>click Yes. It's important to do this so you can make the necessary changes. >>At the DOS prompt type this exactly and press enter at the end of each line: >>CD \WINDOWS\SYSTEM >>If that doesn't work, try >>CD SYSTEM >>Delete SKA.EXE and SKA.DLL by typing >>DEL SKA.EXE >>DEL SKA.DLL >>If you get "File not found" you're either not infected or in the wrong >>directory. Make sure you're in your Windows System directory; check to >see >>if you followed step 2 exactly. >>Copy WSOCK32.SKA to WSOCK32.DLL by typing >>COPY WSOCK32.SKA WSOCK32.DLL >>Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL. >Explanation: >>WSOCK32.SKA is a backup of the original WSOCK32.DLL made by the virus. >You >>are replacing the modified DLL with the original. Delete WSOCK32.SKA by >>typing >>DEL WSOCK32.SKA Do not delete WSOCK32.SKA if you are unable to replace >>WSOCK32.DLL with WSOCK32.SKA. >>Return to Windows by typing >>EXIT >>Optional: Choose Start, Programs, Accessories, Notepad, choose File, then >>Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the >>people on the list, then delete LISTE.SKA >> >>