I-WORM/HAPPY

Discussion in 'malware problems & news' started by twin skies, Dec 6, 2002.

Thread Status:
Not open for further replies.
  1. twin skies

    twin skies Guest

    Does anyone know if this is AOL Instant Messenger borne? I reported 2 strange acting system files to my PC builder. A support tech saw fit to diagnose immediately a virus infection common to users of AIM, AOL's Instant Messenger, but non AV support technicians never give anti-virus solutions.

    They like to prescribed System Restore as the only remedy to virus infection, but I thought otherwise. I will advise anyone that whatever the problem is, System Restore is worthless! At least that has been my experience over the past 15 months, with 2 XP machines.

    Just a short time ago I ran the all-in-one DOS application pqremove, from Pandasoftware. It reported I-WORM/HAPPY as active and running. Whether this is a single entity, or two different ones is still not clear to me.

    Anyway, symptoms were: System tray icon for sndvol32.exe would vanish, then reappear, but never with a loss of sound volume. Also on the same playbill but less conspicuos, was the file sndrec32.exe. I believe these 2 files were present when I took delivery of this new PC 35 days ago, and the vanishing/unvanishing mischief started right away, before I installed AOL AIM.

    This caused me to clone the above mentioned files from old the virus-free machine to the new one.
    During, the transfer process, Transfer Wizard (at least that is whom I was lead to believe it was) informed me that these transfered files were to now reside in sub-directory Windows:\system32\dllcache. I saw no reason to protest this at the time.

    The support tech later had me move the files to where they normally reside, C:\Windows\system32. The icon again reappeared to the tray, and I thought that was done with... Well I was wrong. Tray icon dematerialized again, but this time both sndvol32 and sndrec32 stayed just where they should be, C:\Windows\system32..

    So it remains what to do, everything seems alright now. Did pqremove cure it (thanks Pandasoftware), or is the safest bet at this point a non destructive System Recovery? Did I give too much detail? I hope I at least help someone else by pounding all of this out. Oh, and thank you too!

    Some statistics-
    Anti-Virus: Norton 2003 Pro Edition
    Anti-Worm: pqremove (new)
    Other: rarely
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    welcome, twin skies,

    I-Worm/HAPPY is an oldie (one identity indeed), commonly known as Happy99.

    Please check your system/registry for the existance from:

    HKEY_LOCAL_MACHINE
    \Software\Microsoft\Windows\CurrentVersion\RunOnce=SKA.EXE

    In case this registry entrance does no longer exists, it's quite safe to say your system is clean(ed).

    Your Norton should catch it on the spot, btw ;)

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.