Background

W32/Ska.A-m (Happy99.exe) is a Windows based e-mail and news group worm. When Happy99.exe is run on an uninfected PC it displays fireworks and a message saying Happy New Year 1999.

When it's run for the first time, Happy99.exe, installs itself by creating SKA.EXE and SKA.DLL in the \Windows\System directory. W32/Ska.A-m then patches WSOCK32.DLL so that it can hook the "Connect" or "Send" APIs. Once it has successfully installed itself on a PC every e-mail and news group posting sent from that PC will be followed by a second message with the same subject as the original message but containing only the Happy99.exe file in UUencoded format.

For a full description of W32/Ska.A-m see the F-Secure Virus Information pages at: <http://www.f-secure.com/v-descs/ska.shtml>.

Removal Instructions

You can either print out this page or download these step by step removal instructions in Windows Write format (Happy99.wri).

1. Shut down you computer normally and restart in a Safe Mode Command Prompt (you can reach a Safe Mode Command Prompt by pressing F8 when you see the text message "Starting Windows 95" in the upper left hand corner of the screen and choosing "Safe Mode Command Prompt Only" from the Startup option menu).
2. At the C:\> prompt type: CD\WINDOWS\SYSTEM [Enter]
3. At the C:\WINDOWS\SYSTEM> Prompt type: Del SKA.* [Enter]
4. At the C:\WINDOWS\SYSTEM> Prompt type: Ren WSOCK32.DLL WSOCK32.OLD [Enter]
5. At the C:\WINDOWS\SYSTEM> Prompt type: Ren WSOCK32.SKA WSOCK32.DLL [Enter]
6. At the C:\WINDOWS\SYSTEM> Prompt type: ATTRIB WSOCK32.DLL +R [Enter]
7. At the C:\WINDOWS\SYSTEM> Prompt type: Ren LISTE.SKA LISTE.TXT [Enter]
8. Restart your computer normally and delete the original HAPPY99.EXE file.
9. Open LISTE.TXT in Notepad and print it out. LISTE.TXT contains a list of e-mail addresses that W32/Ska.A-m has been sent to. I would suggest sending a brief note explaining the problem and copy of these instructions to each of those addresses.
10. Congratulations! Your Computer is now free of the W32/Ska.A-m worm.