[meteorite-list] Virus Snowhite is back!

From: Dave <Dave_at_meteoritecentral.com>
Date: Thu Apr 22 09:37:39 2004
Message-ID: <003901c0733e$1106d180$58790e18_at_mchgnct1.in.home.com>

Just received 4 more Snowhite e-mails this morning. Wonder where it is still
coming from. Dave
----- Original Message -----
From: Rhett Bourland <rbourlan_at_evansville.net>
To: <Meteorite-list_at_meteoritecentral.com>
Sent: Sunday, December 31, 2000 6:40 AM
Subject: [meteorite-list] Virus


> I got this forward from a friend and even though this seems to have
cleared
> itself up I thought you may still like to see it as its been a list topic
in
> the past.
>
> Rhett Bourland
> www.evansville.net/~rbourlan
> November 14, 2000, revised December 18, 2000
>
> Hybris (W32.Hybris) is a complex supervirus whose e-mail delivery system
is
> similar to Happy 99 and whose programming and payload are similar to MTX.
> Although this worm has been known since September, reports of Hybris
> infections are increasing worldwide. And while the worm currently contains
a
> relatively harmless payload, Hybris has the capability to upgrade itself
via
> the Internet and therefore could become dangerous. At least five distinct
> variations of Hybris have been reported by anti-virus software companies
so
> far, with Hybris.D being the most common. Hybris has been upgraded to a 7
on
> the ZDNet virus meter.
>
> How It Works
> Hybris arrives via e-mail with variable texts, depending on the components
> installed. The following characteristics are the most common:
>
> From: Hahaha hahaha_at_sexyfun.net
>
> Subject: Snowhite and the seven Dwarfs - The REAL Story!
>
> Body text: "Today, Snowhite was turning 18. The 7 Dwarfs always where very
> educated and polite with Snowhite. When they go out work at mornign (sic),
> they promissed (sic) a *huge* surprise. Snowhite was anxious. Suddlently
> (sic), the door open, and the Seven Dwarfs enter..."
>
> Attachment: a variable file name ending with .exe or .scr, most commonly
> dwarf4you.exe. Other attachments include:
>
>
> anpo porn.scr
> atchim.exe
> branca de neve.scr
> dunga.scr
> enano porno.exe
> joke.exe
> midgets.scr
> sexy virgin.scr
> A user clicking on the above attachment will load the worm. Hybris scans
the
> system for e-mail addresses to send itself out over the Internet via
e-mail.
> Hybris also inflects WSOCK32.DLL, renaming it and redirecting Windows.INI
to
> point to the new, infected file. Thereafter, Hybris will send itself via
> reply mail to whomever sends new e-mails to an infected computer. Hybris
is
> also savvy enough to establish its own Internet connections for the
purpose
> of upgrading itself. One method, connecting to a Web site presumably
> belonging to the author, has been disabled. A second method, posting to
the
> usenet newsgroup alt.comp.virus, remains active. Hybris contains up to 32
> components, and can execute or upgrade them as needed. At the moment, the
> components sent with Hybris are relatively harmless, however, the
potential
> for new and more dangerous upgrades does exist.
> Removal Instructions
> Infected users should download the latest anti-virus signature files from
> ZDNet's Updates.com. Afterward, users will still need to restore a copy of
> WSOCK32.DLL, either from a clean backup or from the original Windows
> installation disks.
>
>
> _______________________________________________
> Meteorite-list mailing list
> Meteorite-list_at_meteoritecentral.com
> http://www.pairlist.net/mailman/listinfo/meteorite-list
Received on Sun 31 Dec 2000 10:26:37 AM PST