Happy99


Happy99 is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

Significance

Happy99 was described by Paul Oldfield as "the first virus to spread rapidly by email". In the Computer Security Handbook, Happy99 is referred to as "the first modern worm". Happy99 also served as a template for the creation of ExploreZip, another self-spreading virus.

Spread

The worm first appeared on 20 January 1999. Media reports of the worm started coming in from the United States and Europe, in addition to numerous complaints on newsgroups from users that had become infected with the worm. Asia Pulse reported 74 cases of the virus from Japan in February, and 181 cases were reported in March—a monthly record at the time. On 3 March 1999, a Tokyo job company accidentally sent 4000 copies of the virus to 30 universities in Japan.
Dan Schrader of Trend Micro said that Happy99 was the single most commonly reported virus in their system for the month of March. A virus bulletin published in February 2000 reported that Happy99 caused reports of file-infecting malware to reach over 16% in April 1999. Sophos listed Happy99 among the top ten viruses reported in the year of 1999. Eric Chien, head of research at Symantec, reported that the worm was the second most reported virus in Europe for 2000. Marius Van Oers, a researcher for Network Associates, referred to Happy99 as "a global problem", saying that it was one of the most commonly reported viruses in 1999. When virus researcher Craig Schmugar posted a fix for the virus on his website, a million people downloaded it.

Technical details

The worm spreads through email attachments and usenet. When executed, animated fireworks and a "Happy New Year" message display. The worm modifies Winsock, a Windows communication library, to allow itself to spread. The worm then attaches itself automatically to all subsequent emails and newsgroup posts sent by a user. The worm modifies a registry key to automatically start itself when the computer is rebooted. In some cases, the program may cause several error messages to appear.
The worm was written by a French virus writer known as "Spanska". Other than propagating itself, the worm does no further damage to an infected computer. The worm typically uses port 25 to spread, but uses port 119 if port 25 is not available. The executable of the worm is 10,000 bytes in size; a list of spammed newsgroups and mail addresses is stored on the infected hard drive. The worm spreads only if the Winsock library is not set to read-only.