Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Happy

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Happy has the following effects:

  • It spreads to other computers by e-mail.
  • It creates files on the affected system, which allow it to gather the e-mail addresses to which it will send itself out.
  • It displays a window with the title Happy New Year 1999, which simulates a fireworks display.

Infection strategy 

Happy creates the following files in the Windows system directory (by default, C:\ WINDOWS\ SYSTEM or C:\ WINNT\ SYSTEM32):

  • WSOCK32.SKA. The content of the dynamic link library WSOCK32.DLL is copied to this file. Happy patches exports in this DLL in order to promote distribution by e-mail on the host system.
  • SKA.DLL, a dynamic link library (a file with a DLL extension) encrypted inside the executable program that contains the virus (HAPPY99.EXE).
  • SKA.EXE, which will be run providing the file WSOCK32.DLL is in use. That is, when the DLL is being used by another application, thereby preventing the virus from carrying out its infection routine.
  • LISTE.SKA, which stores the e-mail addresses to which Happy has sent itself. In this way, it avoids mailing itself twice to the same address. This file can contain up to 200 e-mail addresses.

Happy creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce=SKA.EXE
    By creating this entry, Happy ensures that the file SKA.EXE is run whenever Windows is started.

Happy also uses the following techniques:

  • Initialization. Happy is automatically run whenever the computer is started up. This is due to the fact that the worm inserts a small part of its infection code in the file WSOCK32.DLL (with an additional 202 bytes).
  • Redirection. The HAPPY99.EXE file runs two functions used by WSOCK32.DLL: EnumProtocolsW and WSAAsyncGetProtocolByName.
    These functions allow the worm to connect to the Internet and send information out. In this way, Happy can monitor e-mail and Newsgroups communication ports, SMTP-25 and NNTP-119 respectively.

Means of transmission 

Happy uses e-mail and Newsgroups to propagate rapidly:

  • Happy reaches computers hidden in an e-mail message with the following characteristics:

    Subject:
    Happy New Year 1999 !!

    Attachments:
    HAPPY99.EXE
  • It activates upon running the file HAPPY99.EXE, which displays a window simulating a fireworks display.
  • It creates the files WSOCK32.SKA, SKA.DLL, SKA.EXE and LISTE.SKA, which allow the virus to spread via e-mail.
  • Happy sends itself out to e-mail addresses it finds on the affected computer, including those which belong to Newsgroups.

Further Details  

Happy presents the following additional characteristics:

  • Happy is unable to spread on Windows NT systems, due to some bugs in its code.
  • The HAPPY99.EXE file is 10 Kbytes in size.
  • Its code contains the following text strings, some of which are encrypted. However, they are not shown at any moment:
    Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999.
    Happy New Year 1999 !!
    begin 644 Happy99.exe end
    \Ska.exe\ liste.ska
    \wsock32.dll\ Ska.dll\ Ska.exe
  • The e-mail messages it sends out contain the text X-Spanska: YES, which is not visible to users.