[meteorite-list] Virus Snowhite is back!
From: Dave <Dave_at_meteoritecentral.com>
Date: Thu Apr 22 09:37:39 2004 Message-ID: <003901c0733e$1106d180$58790e18_at_mchgnct1.in.home.com> Just received 4 more Snowhite e-mails this morning. Wonder where it is still coming from. Dave ----- Original Message ----- From: Rhett Bourland <rbourlan_at_evansville.net> To: <Meteorite-list_at_meteoritecentral.com> Sent: Sunday, December 31, 2000 6:40 AM Subject: [meteorite-list] Virus > I got this forward from a friend and even though this seems to have cleared > itself up I thought you may still like to see it as its been a list topic in > the past. > > Rhett Bourland > www.evansville.net/~rbourlan > November 14, 2000, revised December 18, 2000 > > Hybris (W32.Hybris) is a complex supervirus whose e-mail delivery system is > similar to Happy 99 and whose programming and payload are similar to MTX. > Although this worm has been known since September, reports of Hybris > infections are increasing worldwide. And while the worm currently contains a > relatively harmless payload, Hybris has the capability to upgrade itself via > the Internet and therefore could become dangerous. At least five distinct > variations of Hybris have been reported by anti-virus software companies so > far, with Hybris.D being the most common. Hybris has been upgraded to a 7 on > the ZDNet virus meter. > > How It Works > Hybris arrives via e-mail with variable texts, depending on the components > installed. The following characteristics are the most common: > > From: Hahaha hahaha_at_sexyfun.net > > Subject: Snowhite and the seven Dwarfs - The REAL Story! > > Body text: "Today, Snowhite was turning 18. The 7 Dwarfs always where very > educated and polite with Snowhite. When they go out work at mornign (sic), > they promissed (sic) a *huge* surprise. Snowhite was anxious. Suddlently > (sic), the door open, and the Seven Dwarfs enter..." > > Attachment: a variable file name ending with .exe or .scr, most commonly > dwarf4you.exe. Other attachments include: > > > anpo porn.scr > atchim.exe > branca de neve.scr > dunga.scr > enano porno.exe > joke.exe > midgets.scr > sexy virgin.scr > A user clicking on the above attachment will load the worm. Hybris scans the > system for e-mail addresses to send itself out over the Internet via e-mail. > Hybris also inflects WSOCK32.DLL, renaming it and redirecting Windows.INI to > point to the new, infected file. Thereafter, Hybris will send itself via > reply mail to whomever sends new e-mails to an infected computer. Hybris is > also savvy enough to establish its own Internet connections for the purpose > of upgrading itself. One method, connecting to a Web site presumably > belonging to the author, has been disabled. A second method, posting to the > usenet newsgroup alt.comp.virus, remains active. Hybris contains up to 32 > components, and can execute or upgrade them as needed. At the moment, the > components sent with Hybris are relatively harmless, however, the potential > for new and more dangerous upgrades does exist. > Removal Instructions > Infected users should download the latest anti-virus signature files from > ZDNet's Updates.com. Afterward, users will still need to restore a copy of > WSOCK32.DLL, either from a clean backup or from the original Windows > installation disks. > > > _______________________________________________ > Meteorite-list mailing list > Meteorite-list_at_meteoritecentral.com > http://www.pairlist.net/mailman/listinfo/meteorite-list Received on Sun 31 Dec 2000 10:26:37 AM PST |
StumbleUpon del.icio.us Yahoo MyWeb |