Happy99 (also termed Ska or I-Worm) is a

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will ...

for

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

. It first appeared in mid-January 1999, spreading through email and

usenet Usenet (), a portmanteau of User's Network, is a worldwide distributed discussion system available on computers. It was developed from the general-purpose UUCP, Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Elli ...

. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

Significance

Happy99 was described by Paul Oldfield as "the first virus to spread rapidly by email". In the ''Computer Security Handbook'', Happy99 is referred to as "the first modern worm". Happy99 also served as a template for the creation of ExploreZip, another self-spreading virus.

Spread

The worm first appeared on 20 January 1999. Media reports of the worm started coming in from the United States and Europe, in addition to numerous complaints on newsgroups from users that had become infected with the worm. Asia Pulse reported 74 cases of the virus from Japan in February, and 181 cases were reported in March—a monthly record at the time. On 3 March 1999, a Tokyo job company accidentally sent 4000 copies of the virus to 30 universities in Japan. Dan Schrader of

Trend Micro is an American-Japanese cyber security software company. The company has globally dispersed R&D in 16 locations across every continent excluding Antarctica. The company develops enterprise security software for servers, containers, and cloud ...

said that Happy99 was the single most commonly reported virus in their system for the month of March. A virus bulletin published in February 2000 reported that Happy99 caused reports of file-infecting

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

to reach over 16% in April 1999.

Sophos Sophos Limited is a British security software and hardware company. It develops and markets managed security services and cybersecurity software and hardware, such as managed detection and response, incident response and endpoint security s ...

listed Happy99 among the top ten viruses reported in the year of 1999. Eric Chien, head of research at

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

, reported that the worm was the second most reported virus in Europe for 2000. Marius Van Oers, a researcher for

Network Associates McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American proprietary software company focused on online ...

, referred to Happy99 as "a global problem", saying that it was one of the most commonly reported viruses in 1999. When virus researcher Craig Schmugar posted a fix for the virus on his website, a million people downloaded it.

Technical details

The worm spreads through email attachments and

Usenet Usenet (), a portmanteau of User's Network, is a worldwide distributed discussion system available on computers. It was developed from the general-purpose UUCP, Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Elli ...

. When executed, animated fireworks and a "Happy New Year" message display. The worm modifies

Winsock In computing, the Windows Sockets API (WSA), later shortened to Winsock, is an application programming interface (API) that defines how Windows network application software should access network services, especially TCP/IP. It defines a standar ...

, a Windows communication library, to allow itself to spread. The worm then attaches itself automatically to all subsequent emails and newsgroup posts sent by a user. The worm modifies a registry key to automatically start itself when the computer is rebooted. In some cases, the program may cause several error messages to appear. The worm was written by a French virus writer known as "Spanska". Other than propagating itself, the worm does no further damage to an infected computer. The worm typically uses port 25 to spread, but uses port 119 if port 25 is not available. The executable of the worm is 10,000 bytes in size; a list of spammed newsgroups and mail addresses is stored on the infected

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating hard disk drive platter, pla ...

. The worm spreads only if the Winsock library is not set to read-only.

References

External links

CERT Incident Note IN-99-02

Viruslist - Email-Worm.Win32.Happy
{{Hacking in the 1990s Email worms Hacking in the 1990s Email Spamming

Significance

Spread

Technical details

See also

References

External links