NAI Botches basic definitions like "virus" and "worm"

February 1, 1999

original author unknown

VIRUS ALERT: Network Associates Advises E-mail and Newsgroup Users to Armor Up Against Trojan Horse Worm Outbreak

Happy99.exe Fireworks Graphic Delivers More Than New Year Cheer

SANTA CLARA, Calif., Feb. 1 /PRNewswire/ -- To educate and inform the computer industry and its customers, the AVERT (Anti-Virus Emergency Response Team), a division of NAI Labs at Network Associates (Nasdaq: NETA), warns users to defend their computers from the virus, Happy99.exe.

Happy99.exe displays a window with exploding fireworks and the message "Happy New Year 1999!" The window appears on the computer monitor when a user runs the Happy99.exe attachment that is delivered with the e-mail.

Happy99.exe, also known as W32/SKA or the Ska Virus, is a Trojan Horse that was first posted to newsgroups and has since propagated to infect users via e-mail. This Trojan Horse is also considered a Worm because it can spread itself by latching onto mail messages. In most cases a user sends Happy99.exe unknowingly with outgoing messages. This self-replicating ability led to the expedient outbreak of Happy99.exe, which has been reported to several of the AVERT Labs locations worldwide.

It has been widely reported that when Happy99.exe runs its fireworks graphic, it modifies the Windows/System folder of a user's PC. If so, the process is as follows. The virus copies itself to the folder under the name SKA.EXE and then extracts a DLL from within itself to place in the folder. Happy99.exe then backs up and modifies the existing WSOCK32.DLL file. The modified WSOCK32.DLL file, WSOCK32.SKA, attaches the virus to a second copy of outgoing e-mail and newsgroup messages. The virus also keeps a list of message recipients in a file on the Windows/System folder.

Happy99.exe does not deliver a known destructive payload, nor does it appear to pose a threat to data. It does, however, spam the unconsenting recipient and create covert parasitic activity on a system. It can also congest the network and strain the e-mail server. AVERT has not yet seen this behavior, but warns users of the Trojan's potential.

To ensure maximum security, it is recommended that users delete all files associated with Happy.exe to remove the virus from their systems. AVERT has developed Happy99.exe detection, which is available in Network Associates' McAfee VirusScan versions 3.X and above. Detection is also available for the Dr Solomon's Anti-Virus Tool Kit. The Happy99.exe detection utilities and detailed information about Happy.exe are available at Network Associates' Web site,

With headquarters in Santa Clara, Calif., Network Associates, Inc. is dedicated to providing leading enterprise network security and management software. McAfee Labs, the anti-virus research division of Network Associates, currently employs more than 85 virus researchers and maintains labs on five continents worldwide. In addition to studying new and existing security threats, McAfee Labs serves as a global resource for virus information and provides rapid, follow-the-sun support for virus emergencies worldwide. For more information, Network Associates can be reached at (408) 988-3832 or on the Web at

McAfee, VirusScan, Net Tools and Dr Solomon's are registered trademarks of Network Associates and/or its affiliates in the U.S. and in other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

main page ATTRITION feedback