Happy99
Happy99
Type Email worm
Creator Spanska
Date Discovered 1999.01.27
Place of Origin France
Source Language Assembly
Platform MS Windows
File Type(s) exe, dll*
Infection Length 10,000 bytes
Reported Costs

Happy99 is an email/newsgroup worm that also behaves in some ways like a virus and trojan. It was created by Spanska and appeared in the 4th edition of the 29A virus magazine. Although Happy99 is wild, it has no destructive payload and is, as its author describes, a "sympathetic hitchhiker who uses your internet connection to travel, and thank you for the trip with a small animation."

Behavior

The worm arrives in an email or news post attachment named Happy99.exe. This attachment is 10,000 bytes long. When the user executes the worm, it displays a window of fireworks. The worm copies itself to the Windows system folder as SKA.EXE and creates SKA.DLL in that folder.

Happy99.png

It makes a copy of WSOCK32.DLL and names it WSOCK32.SKA. The worm checks if WSOCK32.DLL is being used in memory. If it is not, Happy99 will modify WSOCK32.DLL in a way that causes SKA.EXE to run whenever WSOCK32.DLL is started. If it is in use, the worm modifies the Local Machine registry key that allows it to run once when the machine is started. This is likely in the hope that WSOCK32.DLL will not be in use the second the machine starts.

Happy99 modifies WinSOCK32.DLL so that when its "connect" or "send" APIs are called, it loads SKA.DLL. SKA.DLL contains "news" and "mail", two functions that cause the worm send itself to any email (if the email client suports SMTP) or newsgroup postings the user sends.

Every time an email or newspost is sent, the worm sends a second email or newspost. The sender address will be that of the actual sender.

Effects

Lacking any destructve payload, Happy99 is not likely to ever cause any damage. In a debate on alt.comp.virus, Spanska speculated that between 9,000 and 15,000 computers had been infected with the worm.

Other Facts

The worm contains the hidden text string: "Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999." The worm is available in source code and binary format from the 4th issue of 29A.

Happy99's status as a worm, virus or trojan was a subject of some debate. Some cited the fact that the user had to activate the worm as evidence that it is a trojan. Others note its modification of WSOCK32.DLL as evidence that it is a virus. The Virus Encyclopedia classifies it as a worm, because it is an independent program that moves through computers and networks. This encyclopedia does not view it as a trojan because regardless of how it is activated, it ends up moving to another system without anyone intending for it to specifically go there. While it does modify WSOCK32.DLL, the modification does not produce a DLL infector on that file that can then infect other DLL files, and therefore it also fails to meet the definition of a virus.

Using viruses and worms to send holiday "greetings" had been done since some of the earliest ones. Christmas tree gave users an image of an ASCII Christmas tree. The Taiwanese Tamsui displays text in addition to playing media, similar to Happy99.

Sources

Spanska. 29A 4th Issue, Happy99 Source code (I-Worm.Happy). 2000.01

Peter Szor, "Happy Gets Lucky?"

Antivirus Page, "Ska Virus"

Raul Elnitiarta. Symantec.com, "Happy99.Worm".

F-Secure Antivirus, F-Secure Virus Descriptions : Ska

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License