Happy99

Last updated
Happy99
Happy99.PNG
AliasesSka, I-Worm
Type Computer worm
Author(s)"Spanska"
Port(s) used25, 119 [1] [2]
Operating system(s) affected Windows 95,
Windows 98,
Windows NT [3]
Filesize10,000 bytes

Happy99 (also termed Ska or I-Worm) [4] is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

Contents

Significance

Happy99 was described by Paul Oldfield as "the first virus to spread rapidly by email". [5] In the Computer Security Handbook, Happy99 is referred to as "the first modern worm". [6] Happy99 also served as a template for the creation of ExploreZip, another self-spreading virus. [7]

Spread

The worm first appeared on 20 January 1999. [8] Media reports of the worm started coming in from the United States and Europe, in addition to numerous complaints on newsgroups from users that had become infected with the worm. [9] Asia Pulse reported 74 cases of the virus from Japan in February, and 181 cases were reported in March—a monthly record at the time. [10] [11] On 3 March 1999, a Tokyo job company accidentally sent 4000 copies of the virus to 30 universities in Japan. [12]

Dan Schrader of Trend Micro said that Happy99 was the single most commonly reported virus in their system for the month of March. [13] A virus bulletin published in February 2000 reported that Happy99 caused reports of file-infecting malware to reach over 16% in April 1999. [14] Sophos listed Happy99 among the top ten viruses reported in the year of 1999. [15] Eric Chien, head of research at Symantec, reported that the worm was the second most reported virus in Europe for 2000. [16] Marius Van Oers, a researcher for Network Associates, referred to Happy99 as "a global problem", saying that it was one of the most commonly reported viruses in 1999. [17] When virus researcher Craig Schmugar posted a fix for the virus on his website, a million people downloaded it. [18]

Technical details

The worm spreads through email attachments and Usenet. [19] [20] [21] When executed, animated fireworks and a "Happy New Year" message display. [19] [22] The worm modifies Winsock, a Windows communication library, to allow itself to spread. [19] The worm then attaches itself automatically to all subsequent emails and newsgroup posts sent by a user. [23] The worm modifies a registry key to automatically start itself when the computer is rebooted. In some cases, the program may cause several error messages to appear. [24]

The worm was written by a French virus writer known as "Spanska". Other than propagating itself, the worm does no further damage to an infected computer. [25] [26] The worm typically uses port 25 to spread, but uses port 119 if port 25 is not available. [24] The executable of the worm is 10,000 bytes in size; a list of spammed newsgroups and mail addresses is stored on the infected hard drive. [22] [27] The worm spreads only if the Winsock library is not set to read-only.

See also

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

Klez is a computer worm that propagates via e-mail. It first appeared in October 2001 and originated in China. A number of variants of the worm exist. The virus (Klez) itself is a Windows PE EXE file of about 65KB, and it operates on WIN32 platforms. Klez infects Microsoft Windows systems, exploiting a vulnerability in Internet Explorer's Trident layout engine, used by both Microsoft Outlook and Outlook Express to render HTML mail.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

The Melissa virus is a mass-mailing macro virus released on or around March 26, 1999. It targets Microsoft Word and Outlook-based systems and created considerable network traffic. The virus infects computers via email; the email is titled "Important Message From," followed by the current username. Upon clicking the message, the body reads, "Here's that document you asked for. Don't show anyone else ;)." Attached is a Word document titled "list.doc," containing a list of pornographic sites and accompanying logins for each. It then mass-mails itself to the first fifty people in the user's contact list and disables multiple safeguard features on Microsoft Word and Microsoft Outlook.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.

Zotob is a computer worm which exploits security vulnerabilities in Microsoft operating systems like Windows 2000, including the MS05-039 plug-and-play vulnerability. This worm has been known to spread on Microsoft-ds or TCP port 445.

<span class="mw-page-title-main">Virus hoax</span> Message warning of a non-existent computer virus

A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know, but it can also be in the form of a pop-up window.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

Stration is a family of computer worms that can affect computers running Microsoft Windows, disabling security features and propagating itself to other computers via e-mail attachments. This family of worms is unusual in that new variants are being produced at an unprecedented rate, estimated to be up to one every 30 minutes at its peak, and downloaded from remote servers by infected machines to speed propagation. This makes detection and removal a particular challenge for anti-virus software vendors, because new signature files for each variant need to be issued to allow their software to detect them.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Anna Kournikova was a computer virus that spread worldwide on the Internet in February 2001. The virus program was contained in an email attachment, purportedly an image of tennis player Anna Kournikova.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

The Pikachu virus, also referred to as Pokey or the Pokémon virus, was a computer worm believed to be the first malware geared at children, due to its incorporation of Pikachu, a creature from the Pokémon media franchise. It was considered similar to the Love Bug, albeit slower in its spread and less dangerous.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

References

  1. Stephen Watkins; Gregg, Michael B. (2006). Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of an Insecure Network. Syngress Publishing. pp. 407, 408. ISBN   1-59749-109-8.
  2. Davis, Peter (2002). Securing and controlling Cisco routers. Boca Raton: Auerbach Publications. pp.  621, 622. ISBN   0-8493-1290-6.
  3. George Skarbek (16 March 1999). "Tech talk - Happy99 Virus". The Courier-Mail.
  4. Roger A. Grimes (2001). Malicious Mobile Code: Virus Protection for Windows. Sebastopol, CA: O'Reilly. pp.  6. ISBN   1-56592-682-X.
  5. Paul Oldfield (2001). Computer viruses demystified. Aylesbury, Bucks: Sophos. p. 32. ISBN   0-9538336-0-7.
  6. Bosworth, Seymour; Kabay, Michel E. (2002). Computer security handbook. Chichester: John Wiley & Sons. pp.  44. ISBN   0-471-26975-1.
  7. Rosie Lombardi (2 July 1999). "Microsoft's dominance plays a role". Computing Canada. Archived from the original on 14 February 2012. Retrieved 27 March 2009.
  8. Ellis, Juanita; Korper, Steffano (2001). The E-commerce book: building the E-empire. San Diego: Academic. pp.  192. ISBN   0-12-421161-5.
  9. David Watts (16 February 1999). "Help Desk". The West Australian .
  10. "251 Cases of Computer Virus Damage Reported in Japan in Feb". Asia Pulse. 7 March 1999.
  11. Makoto Ushida (19 April 1999). "Cyberslice - Experts warn of lurking computer viruses". Asahi Shimbun .
  12. "Virus-tainted e-mail sent to 4,000". The Daily Yomiuri . 6 June 1999.
  13. Clint Swett; Eric Young (7 April 1999). "Tech Talk Column". The Sacramento Bee .
  14. "Virus Bulletin". Virus Bulletin: The Authoritative International Publication on Computer Virus Prevention, Recognition, and Removal. Virus Bulletin Ltd. 2000. ISSN   0956-9979.
  15. "Old viruses live on". Adelaide Advertiser . 19 February 2000.
  16. "Virus variants put users at risk Users are at risk from new variants of popular viruses which can evade some antivirus protection". World Reporter TM. 6 March 2000.
  17. Deborah Scoblionkov (2 March 1999). "Bigfoot Users Get a Hotfoot". Wired . Archived from the original on 26 October 2012. Retrieved 7 March 2017.
  18. Jeffrey Kosseff (15 September 2003). "Virus-Hunters Scour Internet with 'Dirty' Computers". The Oregonian .
  19. 1 2 3 Chen, William W. L. (2005). Statistical methods in computer security. New York, N.Y: Marcel Dekker. p. 272. ISBN   0-8247-5939-7.
  20. Michael J. Isaac; Isaac, Debra S. (2003). The SSCP prep guide: mastering the seven key areas of system security. New York: Wiley. p. 0471273511. ISBN   0-471-27351-1.
  21. Roberta Fusaro (29 January 1999). "Internet worm can crash corporate servers". CNN . Archived from the original on 12 February 2021. Retrieved 26 March 2009.
  22. 1 2 Rubin, Aviel D. (2001). White-hat security arsenal: tackling the threats. Boston: Addison-Wesley. pp.  31. ISBN   0-201-71114-1.
  23. Carrie Kirby (22 December 2000). "Holiday E-Mail Gives Viruses An Opportunity". San Francisco Chronicle .
  24. 1 2 Grover, Amit (August 2003). "Application Adaptive Bandwidth Management Using Real-Time Network Monitoring" (PDF): 77–78. Archived from the original (PDF) on 14 September 2006. Retrieved 27 March 2009.{{cite journal}}: Cite journal requires |journal= (help)
  25. Knittel, Brian; Cowart, Robert; Cowart, Bob (1999). Using MicroSoft Windows 2000 professional. Indianapolis, Ind: Que. pp.  936. ISBN   0-7897-2125-2.
  26. Trefor Roscoe (2004). Rapid Reference to Computers: Rapid Reference Series. St. Louis: Mosby. p. 38. ISBN   0-7234-3357-7.
  27. Bob Sullivan (27 January 1999). "Happy99.exe worm spreads on Net". ZDNet .[ permanent dead link ]
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.