Got this email today... I've heard a couple people who have gotten it too. Any word on it, cuz I can't find anything.
That return address is dead because the Mailer Demon said so.
------------------
"President Bush. It's fun saying that. Go ahead, you try." - M. Lucinsky, Spectrum Editor
"Being a liberal is one of the most gutless choices you can make. It doesn't require you to think, it only requires you to feel." - Rush Limbaugh
[This message has been edited by Jeff Raven (edited February 13, 2001).]
quote:
As to the virus itself, the screensaver contains the Win95.Hybris.Gen.Dr variant - a virus generator. When run, it slaps a few more generators (Win95.Hybris.Gen variant) into other files, which then proliferate the virus itself (Win95.Hybris) into other random files.
quote:
Email version:English:
From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr
or dwarf4you.exeThe email also comes in French, Spanish and Portuguese. If you visit newsgroups, you may want to check out the this link as they have a sample of the newsgroup item as well. http://vil.mcafee.com/dispVirus.asp?virus_k=98873&
It is rated as a medium risk.
And does anyone have any info on the new Anna Kournikova JPEG virus?
------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."
[This message has been edited by Tahna Los (edited February 13, 2001).]
------------------
Here lies a toppled god,
His fall was not a small one.
We did but build his pedestal,
A narrow and a tall one.
-Tleilaxu Epigram
Subject: Virus alert and such..
Date: Fri, 05 Jan 2001 01:05:18 +1100
From: ***
To: ***Oi,
I figure you can all work this out for yourselves and that it's prolly rather old, everthing considered.. But -I- only just received it, and I know a friend of mine was going to send it around.. So.. take a look below.Emails may arrive from an INFECTED user in this format:
From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file(Found all this at http://vil.nai.com/villib/dispvirus.asp?virus_k=98873,
thanks to MrC. )Virus Name
W32/Hybris.gen@MAliases
dwarf4you.exe
Hybris
I-Worm.Hybris
I-Worm.Hybris.b
Snowhite and the Seven Dwarfs
TROJ_HYBRIS.A
W32/Hybris.gen.dll@M
W32/Hybris.plugin@M
W95.Hybris.Gen.dr
W95/Hybris.worm
Win98.Vecna.23040Variants
NoneDescription Added
11/1/00 2:37:27 PMVirus Information
Discovery Date: 10/16/00
Origin: South America
Length: 25,088 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Minimum Engine: 4.0.50
Minimum Dat: 4101
DAT Release Date: 10/25/2000
Virus Characteristics
Update January 7, 2000:
Some infected users have mentioned witnessing a graphic of a "spiral" activated and cannot be closed or stopped. This spiral graphic is associated with one of the plugins for W32/Hybris and is launched by this Internet worm periodically. In order to close the spiral, a task or process manager tool must be used.This is an Internet worm which can be received by email. Typically these messages will make reference to, "Snowhite and the Seven Dwarfs". If run, this worm modifies the WSOCK32.DLL file, after which, an attempt is made to mail a copy of the worm to all mail recipients whenever email messages are sent out.
AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.
This Internet worm downloads encrypted update components from an Internet web site, most likely it is the author's site. This worm downloads encrypted components similar to the method first used by W95/Babylonia.
Emails may arrive from an infected user in this format:
From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file
Symptoms
Mail recipients claiming they received an attachment from you when one was never sentMethod Of Infection
When this Internet worm is launched, it downloads a file named INDEX.TXT from the hosting site. This file contains a list of additional files that the worm is to also download for use. On November 13 2000, the site was still operational and contained the following update component files:HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
As of November 20, 2000, the site hosting the virus was taken down, however, the virus continues to download plugins from alt.comp.virus.
As of November 21, 2000, a new plugin is being distributed that will enable W32/Hybris to infect PE files in a non-repairable way. The 4108 DAT set is
required to detect these infected files.
Executing the worm writes a modified version of the WSOCK32.DLL file to the WINDOWS SYSTEM directory. This file goes by an extensionless filename made up of 8 random characters. A line is created in the WININIT.INI file to rename this, newly created, file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system
is booted. The modified WSOCK32.DLL file attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to all mail recipients whenever email messages are sent out.This Internet worm posts update details to a newsgroup named alt.comp.virus. The message posts is a communication message to the running Internet worm on
hosts to perform self-updates.The format of the newsgroup posted message is as follows:
anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: [email protected]
From:
Author-Address: anonymous anon lcs mit edu
Subject: http [44 character alpha code]
Mail-To-News-Contact: [email protected]
Organization: [email protected]
Newsgroups: alt.comp.virus
Lines: 46KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****
Removal Instructions
Use specified engine and DAT files for detection and removal.The WSOCK32.DLL file must be restored from backup. This can be done by:
Windows 98
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the
Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining promptsWindows95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D:
is your CD-ROM drive
------------------
My new year's resolution is the same as last year's: 1024x768.
[This message has been edited by TSN (edited February 13, 2001).]
I also only got the Snowwhite virus the other day but already knew of it's true content. I wouldn't open something like that anyways (pornographic email from a strange address? Sorry only those I know )
quote:
Details:
----------------
Name: VBS.SST.A
Aliases: SST, Kalamar , Lee-O
Type: An encrypted script worm
Spreading Rountine: Microsoft Outlook
Detection added: February 12, 2001
Description:
---------------
This is an encrypted script worm. The worm decrypts its code and then executes itself.
The decrypted code then copies the worm to a file named "AnnaKournikova.jpg.vbs" in the system directory. This file is then attached to emails that the worm sends to addresses in the Outlook address book.An infected message will have the following characteristics:
Subject : Here you have, ;0)
Body : Hi:
Check This!
Attachments : AnnaKournikova.jpg.vbsThis worm disguises itself as a jpeg graphic of the Russian tennis player, Anna Kournikova.
The worm makes changes to the Registry, creating an entry called
HKCU\software\OnTheFly.
Payload:
-------------
On the 26th of January the worm attempts to connect to a website in the Netherlands, www.dynabyte.nl
If you have it, click this. It's an antivirus file specifically designed for it.
------------------
"I rather strongly disagree, even if I share the love of Dick. Speaking of which, that would be the most embarrasing .sig quote ever, so never use it."
- Simon Sizer, 23/01/2001
And I thought the number of virus' you could receive simply from opening an e-mail was infintesimally tiny. And that they usually only worked on particular e-mail programs, as they exploited security holes. And that updates to avoid them were nearly always available.
------------------
"And Mojo was hurt and I would have kissed his little boo boo but then I realized he was a BAD monkey so I KICKED HIM IN HIS FACE!"
-Bubbles
------------------
My new year's resolution is the same as last year's: 1024x768.
Image everyone at work with their work email addy's - everyone's email addy lists are standard at first with only work addy's. This damned thing multiplied - worse than the snowball effect. Some of my co-workers got the virus sent to them 300 times. It was bouncing off the walls. It took two days for the system admins to get the virus out of the server.
Rather funny when it was all over.
------------------
Awww...He ate my cookie!
quote:
And I thought the number of virus' you could receive simply from opening an e-mail was infintesimally tiny. And that they usually only worked on particular e-mail programs, as they exploited security holes. And that updates to avoid them were nearly always available.
Fairly true, although a) how many of the average user are smart enough to upgrade patches b) and how many of said people use OutLook Express, Eudora Light, etc those that normally get it?
The number isn't tiny but it isn't a signifcant one either. I've heard of a very few than can infect other forms of email besides those POP ones but I think you'd have to have some kind specific setting or something for those to infect you. I might be thinking of something else entirely though too.
------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."
------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."