The Happy99 Trojan Program

What is the happy99 Trojan program?

The happy99 Trojan program, also known as the ska Trojan program, affects 32-bit Windows operating systems, such as Win95, Win98, and Windows NT. It was first reported in January 1999. When happy99.exe is executed, it displays some fireworks on the screen and then proceeds silently to modify the file wsock32.dll. Once the modifications are in place (sometimes this won't happen until the next time the system is rebooted), the Trojan watches for mail and newsgroup postings sent from that machine. Each time an e-mail message is sent, the Trojan sends a second message to that address, using the same subject line but containing the happy99.exe file as an attachment. In order for the recipient to become infected, s/he must not only receive the attachment but also execute it. The Trojan keeps a list and sends the happy99.exe program only once to each recipient.

How can I remove the happy99 Trojan program?

You will need to obtain and use a special program designed to remove the happy99 Trojan program. One place you can find such a program is at Network Associates' public site for standalone virus removers. Scroll down to the section titled "Command Line Stand Alone Virus Removers" and locate the file RMSKA.ZIP. Before using this virus remover, please read the warnings posted by Network Associates. While we know of no problems with this utility, Boston University cannot take responsibility for any problems caused by its use. Symantec offers public information on how to remove the happy99 Trojan at their Web site. This site also gives information on how Norton AntiVirus owners can download the latest update to protect against the virus.

If you are affiliated with Boston University, you can download and install the latest version of Network Associates' McAfee VirusScan for free, as Boston University has a site license for this product. Please visit BU's anti-virus software Web site for more information. This site will prompt you for your BU login name and password before allowing access. Note that this program checks for, but does not remove, the happy99 Trojan program and the Melissa Word macro virus.

I received e-mail saying that a message I sent to someone at Boston University could not be delivered (service unavailable) because my message contained the happy99 virus. What should I do?

It appears that your Win95, Win98, or WinNT computer is infected. As described above, you probably sent a message to someone at Boston University and that message was probably successfully delivered. The happy99 Trojan then went into action, sending a second e-mail message to that person without your knowledge. Only the second message contained the Trojan program and our mail system rejected only that second message. Subsequent messages you send to that recipient probably will not be infected, so will be delivered normally. However, each time you send mail to a new recipient, the Trojan will send a second, infected message to that person. To avoid sending this Trojan program on to new recipients, you should not send any further e-mail until you remove the happy99 Trojan program from your computer.

Return to main virus information page