CERT® Incident Note IN-99-02The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Happy99.exe Trojan HorseMonday, March 29, 1999
Around January 20, 1999, we began receiving reports of a Trojan horse program named Happy99.exe. Anti-virus vendors have given this program the following names: SKA, WSOCK32.SKA, SKA.EXE, I-Worm.Happy, PE_SKA, Trojan.Happy99, Win32/SKA, and Happy99.Worm.
The first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen and, at the same time, modifies system files. The executable affects Microsoft Windows 95/98 and NT machines by
Once Happy99 is installed, every email and Usenet posting sent by an affected user triggers Happy99 to send a followup message containing Happy99.exe as a uuencoded attachment. Happy99 keeps track of who received the Trojan horse message in a file called LISTE.SKA in the system folder. Note that messages containing the Trojan horse will generally appear to come from someone you know.
You can prevent the spread of the Happy99 by setting the WSOCK32.DLL file attributes to "read only".
Most virus scanning tools will detect and clean Happy99 from a system. Happy99 can be manually removed from affected systems. You can find the steps for this procedure at the following site:
To detect and remove current viruses, you must update your scanning tools with the latest virus signatures or definitions. We also recommend you contact all of the people listed in the LISTE.SKA file. This file lists of other people that may have received the Happy99 Trojan horse from you.
It is important to take great caution with any email or Usenet attachments that contain executable content. If attachments are in a message, we recommend that you save the file to the local drive and scan the file with a virus scanning product before you open or run the file. Be aware that this is not a guarantee that the contents of the file are safe, but it will check for viruses and Trojan horses that your scanning software can detect.
Not the Same as Melissa
Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus. Further information about the Melissa Word macro virus can be found at the following site:
This document is available from: http://www.cert.org/incident_notes/IN-99-02.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1999 Carnegie Mellon University.