[meteorite-list] Virus Snowhite is back!
From: Dave <Dave_at_meteoritecentral.com>
Date: Thu Apr 22 09:37:39 2004
Just received 4 more Snowhite e-mails this morning. Wonder where it is still
coming from. Dave
----- Original Message -----
From: Rhett Bourland <rbourlan_at_evansville.net>
Sent: Sunday, December 31, 2000 6:40 AM
Subject: [meteorite-list] Virus
> I got this forward from a friend and even though this seems to have
> itself up I thought you may still like to see it as its been a list topic
> the past.
> Rhett Bourland
> November 14, 2000, revised December 18, 2000
> Hybris (W32.Hybris) is a complex supervirus whose e-mail delivery system
> similar to Happy 99 and whose programming and payload are similar to MTX.
> Although this worm has been known since September, reports of Hybris
> infections are increasing worldwide. And while the worm currently contains
> relatively harmless payload, Hybris has the capability to upgrade itself
> the Internet and therefore could become dangerous. At least five distinct
> variations of Hybris have been reported by anti-virus software companies
> far, with Hybris.D being the most common. Hybris has been upgraded to a 7
> the ZDNet virus meter.
> How It Works
> Hybris arrives via e-mail with variable texts, depending on the components
> installed. The following characteristics are the most common:
> From: Hahaha hahaha_at_sexyfun.net
> Subject: Snowhite and the seven Dwarfs - The REAL Story!
> Body text: "Today, Snowhite was turning 18. The 7 Dwarfs always where very
> educated and polite with Snowhite. When they go out work at mornign (sic),
> they promissed (sic) a *huge* surprise. Snowhite was anxious. Suddlently
> (sic), the door open, and the Seven Dwarfs enter..."
> Attachment: a variable file name ending with .exe or .scr, most commonly
> dwarf4you.exe. Other attachments include:
> anpo porn.scr
> branca de neve.scr
> enano porno.exe
> sexy virgin.scr
> A user clicking on the above attachment will load the worm. Hybris scans
> system for e-mail addresses to send itself out over the Internet via
> Hybris also inflects WSOCK32.DLL, renaming it and redirecting Windows.INI
> point to the new, infected file. Thereafter, Hybris will send itself via
> reply mail to whomever sends new e-mails to an infected computer. Hybris
> also savvy enough to establish its own Internet connections for the
> of upgrading itself. One method, connecting to a Web site presumably
> belonging to the author, has been disabled. A second method, posting to
> usenet newsgroup alt.comp.virus, remains active. Hybris contains up to 32
> components, and can execute or upgrade them as needed. At the moment, the
> components sent with Hybris are relatively harmless, however, the
> for new and more dangerous upgrades does exist.
> Removal Instructions
> Infected users should download the latest anti-virus signature files from
> ZDNet's Updates.com. Afterward, users will still need to restore a copy of
> WSOCK32.DLL, either from a clean backup or from the original Windows
> installation disks.
> Meteorite-list mailing list
Received on Sun 31 Dec 2000 10:26:37 AM PST