Melissa Who?   Melissa's getting all the press.  But another virus, Happy99, could be sneaking into your PC.  Recently PC Computing editors received an e-mail with an attached file called HAPPY99.EXE.  Like so many others, they double-clicked on it and watched as fireworks spread across the screen.  "Happy New Year 1999!!" it said.  Neat.  Yeah.  Right.  Three months later, they were getting two or three infected messages a day.  If you're unhappy with Happy, here's how you can protect yourself.

1.  Don't Get Infected   As Happy99 and Melissa have so amply demonstrated, even the best of friends can infect one another.  (Melissa is automatically sent to the first 50 people in your PC's MAPI address book, and Happy99 sends second message to people you've already e-mailed once.)  A good rule of thumb for avoiding most damaging programs: If you receive an e-mail message or download a posting on an Internet newsgroup that contains an attached program or document, before you open it, be sure of what it is and who posted it.  In the case of HAPPY99.EXE, don't run the program.  If you do, and you're using Windows 95 or 98, a small fireworks display will greet you--and you'll end up infected with the W32.SKA worm (better known as the Happy99 virus).  So unless you have an antivirus scanner that works on files attached to e-mail messages or newsgroup postings--right now most scanners don't--you'll have to save the file first, then run the scanner on it.

2.  Warn Others   As with any virus, whether on a PC or in real life, the best prevention is education.  If you think you got something from a friend, let your friend know.  It could be infecting your whole social group, meaning you could get reinfected after you clear the virus up.  For example: If you get two e-mail messages from the same person with the same subject, and the second message is blank but has an attached file called HAPPY99.EXE, the person who sent you the messages is infected.

3.  Are You Infected?   Neither Happy99 nor Melissa shows any external signs on infected PCs.  But there are two reliable ways to tell if you're infected with Happy99.  First, you can send an e-mail message to yourself.  If you get two messages back and the second has HAPPY99.EXE attached, you have the virus.  A second, easier method is to look in your System folder (typically C:\WINDOWS\SYSTEM) for a telltale file called WSOCK32.SKA.

4.  Getting Un-Happy: Preliminaries   Note that you have to restart Windows for Happy99 to take.  So if you've just run HAPPY99.EXE and found this article before you restarted, you're in luck: You haven't infected anybody else.  Yet.

To get rid of the external vestiges of Happy99, go into Windows Explorer (right-click on My Computer and select Explore).  Navigate to your System folder.  If you get a dire warning about how modifying the contents of this folder may cause your programs to stop working correctly, ignore it.

Delete the files SKA.EXE and SKA.DLL from the System folder.  Then follow the instructions in "Registry Hacks" (below) and, if you still have a key with the indicated name, delete it.

5.  Killing Happy   Finally, you get to crush the worm itself.  The most reliable way to do that is in DOS: Click on Start, Shut Down, and Restart in MS-DOS mode.  You'll see the line:

C:\WINDOWS>

Type CD SYSTEM and you'll see the line:

C:\WINDOWS\SYSTEM>

Now type each of these lines, in order:

REN WSOCK32.DLL WSOCK32.BAD
REN WSOCK32.SKA WSOCK32.DLL

Use Ctrl+Alt+Del (or press your PC's Reset button) and you'll be back in Windows shortly.  Congratulations.  You have a clean system.

6.  Prevention   Everybody should install, update, and religiously use one of the major antivirus software packages.  PC Computing's choice for the best package appears every month in the A-list.  And remember that you need to scan every incoming program before you run it, no matter who sent it to you, even if you have to save the file onto your hard drive and run the scanner on it directly.

Network Associates has a detailed description of the W32.SKA worm at www.avertlabs.com/public/datafiles/valerts/vinfo/w32ska.asp.  Symantec's coverage is at www.symantec.com/avcenter/venc/data/happy99.worm.html. REGISTRY HACKS   NIP HAPPY99 IN THE BUD

The sooner you detect a virus, the better your odds of a painless recovery.  If you've run HAPPY99.EXE but haven't yet restarted Windows, you're in luck: The infection hasn't had a chance to take.

One Registry key is responsible for running the program that infects your machine.  It's a RunOnce key.  Programs in RunOnce key--as the name implies--run just once.  Windows then automatically removes them from the Registry.  Although you should usually back up your Registry prior to editing it, this time a backup isn't really necessary--as long as you follow the instructions closely.

Click on Start, then on Run; type REGEDIT; press Enter.  Look for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ska.EXE.  If it exists and has a value of SKA.EXE, the worm hasn't yet infected your system.  Select the key and push Del to delete it.