Got this email today... I've heard a couple people who have gotten it too. Any word on it, cuz I can't find anything.

That return address is dead because the Mailer Demon said so.

------------------
"President Bush. It's fun saying that. Go ahead, you try." - M. Lucinsky, Spectrum Editor

"Being a liberal is one of the most gutless choices you can make. It doesn't require you to think, it only requires you to feel." - Rush Limbaugh

quote:

---

As to the virus itself, the screensaver contains the Win95.Hybris.Gen.Dr variant - a virus generator. When run, it slaps a few more generators (Win95.Hybris.Gen variant) into other files, which then proliferate the virus itself (Win95.Hybris) into other random files.

---

quote:

---

Email version:

English:

From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!

Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr
or dwarf4you.exe

The email also comes in French, Spanish and Portuguese. If you visit newsgroups, you may want to check out the this link as they have a sample of the newsgroup item as well. http://vil.mcafee.com/dispVirus.asp?virus_k=98873&

It is rated as a medium risk.

---

And does anyone have any info on the new Anna Kournikova JPEG virus?

------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."

------------------
Here lies a toppled god,
His fall was not a small one.
We did but build his pedestal,
A narrow and a tall one.

Subject: Virus alert and such..
Date: Fri, 05 Jan 2001 01:05:18 +1100
From: ***
To: ***

Oi,
I figure you can all work this out for yourselves and that it's prolly rather old, everthing considered.. But -I- only just received it, and I know a friend of mine was going to send it around.. So.. take a look below.

Emails may arrive from an INFECTED user in this format:

From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file

(Found all this at http://vil.nai.com/villib/dispvirus.asp?virus_k=98873,
thanks to MrC. )

Virus Name
W32/Hybris.gen@M

Aliases
dwarf4you.exe
Hybris
I-Worm.Hybris
I-Worm.Hybris.b
Snowhite and the Seven Dwarfs
TROJ_HYBRIS.A
W32/Hybris.gen.dll@M
W32/Hybris.plugin@M
W95.Hybris.Gen.dr
W95/Hybris.worm
Win98.Vecna.23040

Variants
None

Description Added
11/1/00 2:37:27 PM

Virus Information

Discovery Date: 10/16/00
Origin: South America
Length: 25,088 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Minimum Engine: 4.0.50
Minimum Dat: 4101
DAT Release Date: 10/25/2000

Virus Characteristics
Update January 7, 2000:
Some infected users have mentioned witnessing a graphic of a "spiral" activated and cannot be closed or stopped. This spiral graphic is associated with one of the plugins for W32/Hybris and is launched by this Internet worm periodically. In order to close the spiral, a task or process manager tool must be used.

This is an Internet worm which can be received by email. Typically these messages will make reference to, "Snowhite and the Seven Dwarfs". If run, this worm modifies the WSOCK32.DLL file, after which, an attempt is made to mail a copy of the worm to all mail recipients whenever email messages are sent out.

AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.

This Internet worm downloads encrypted update components from an Internet web site, most likely it is the author's site. This worm downloads encrypted components similar to the method first used by W95/Babylonia.

Emails may arrive from an infected user in this format:

From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file

Symptoms
Mail recipients claiming they received an attachment from you when one was never sent

Method Of Infection

When this Internet worm is launched, it downloads a file named INDEX.TXT from the hosting site. This file contains a list of additional files that the worm is to also download for use. On November 13 2000, the site was still operational and contained the following update component files:

HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT

As of November 20, 2000, the site hosting the virus was taken down, however, the virus continues to download plugins from alt.comp.virus.
As of November 21, 2000, a new plugin is being distributed that will enable W32/Hybris to infect PE files in a non-repairable way. The 4108 DAT set is
required to detect these infected files.

Executing the worm writes a modified version of the WSOCK32.DLL file to the WINDOWS SYSTEM directory. This file goes by an extensionless filename made up of 8 random characters. A line is created in the WININIT.INI file to rename this, newly created, file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system
is booted. The modified WSOCK32.DLL file attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to all mail recipients whenever email messages are sent out.

This Internet worm posts update details to a newsgroup named alt.comp.virus. The message posts is a communication message to the running Internet worm on
hosts to perform self-updates.

The format of the newsgroup posted message is as follows:

anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: [email protected]
From:
Author-Address: anonymous anon lcs mit edu
Subject: http [44 character alpha code]
Mail-To-News-Contact: [email protected]
Organization: [email protected]
Newsgroups: alt.comp.virus
Lines: 46

KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****

Removal Instructions
Use specified engine and DAT files for detection and removal.

The WSOCK32.DLL file must be restored from backup. This can be done by:

Windows 98
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the
Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts

Windows95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D:
is your CD-ROM drive

------------------
My new year's resolution is the same as last year's: 1024x768.

I also only got the Snowwhite virus the other day but already knew of it's true content. I wouldn't open something like that anyways (pornographic email from a strange address? Sorry only those I know )

quote:

---

Details:
----------------
Name: VBS.SST.A
Aliases: SST, Kalamar , Lee-O
Type: An encrypted script worm
Spreading Rountine: Microsoft Outlook
Detection added: February 12, 2001

Description:
---------------
This is an encrypted script worm. The worm decrypts its code and then executes itself.
The decrypted code then copies the worm to a file named "AnnaKournikova.jpg.vbs" in the system directory. This file is then attached to emails that the worm sends to addresses in the Outlook address book.

An infected message will have the following characteristics:

Subject : Here you have, ;0)
Body : Hi:
Check This!
Attachments : AnnaKournikova.jpg.vbs

This worm disguises itself as a jpeg graphic of the Russian tennis player, Anna Kournikova.

The worm makes changes to the Registry, creating an entry called
HKCU\software\OnTheFly.

Payload:
-------------
On the 26th of January the worm attempts to connect to a website in the Netherlands, www.dynabyte.nl

---

If you have it, click this. It's an antivirus file specifically designed for it.

------------------
"I rather strongly disagree, even if I share the love of Dick. Speaking of which, that would be the most embarrasing .sig quote ever, so never use it."

And I thought the number of virus' you could receive simply from opening an e-mail was infintesimally tiny. And that they usually only worked on particular e-mail programs, as they exploited security holes. And that updates to avoid them were nearly always available.

Image everyone at work with their work email addy's - everyone's email addy lists are standard at first with only work addy's. This damned thing multiplied - worse than the snowball effect. Some of my co-workers got the virus sent to them 300 times. It was bouncing off the walls. It took two days for the system admins to get the virus out of the server.

Rather funny when it was all over.

quote:

---

And I thought the number of virus' you could receive simply from opening an e-mail was infintesimally tiny. And that they usually only worked on particular e-mail programs, as they exploited security holes. And that updates to avoid them were nearly always available.

---

Fairly true, although a) how many of the average user are smart enough to upgrade patches b) and how many of said people use OutLook Express, Eudora Light, etc those that normally get it?