Flare Sci-fi Forums
Flare Sci-Fi Forums Post New Topic  New Poll  Post A Reply
my profile | directory login | search | faq | forum home

  next oldest topic   next newest topic
» Flare Sci-Fi Forums » Community » Officers' Lounge » New Virus?

   
Author Topic: New Virus?
Jeff Raven
Always Right
Member # 20

 - posted      Profile for Jeff Raven     Send New Private Message       Edit/Delete Post   Reply With Quote 
www.acsu.buffalo.edu/~bgrada/hrm.gif

Got this email today... I've heard a couple people who have gotten it too. Any word on it, cuz I can't find anything.

That return address is dead because the Mailer Demon said so.

------------------
"President Bush. It's fun saying that. Go ahead, you try." - M. Lucinsky, Spectrum Editor

"Being a liberal is one of the most gutless choices you can make. It doesn't require you to think, it only requires you to feel." - Rush Limbaugh

[This message has been edited by Jeff Raven (edited February 13, 2001).]


Registered: Mar 1999  |  IP: Logged
Teelie
Senior Member
Member # 280

 - posted      Profile for Teelie     Send New Private Message       Edit/Delete Post   Reply With Quote 
Yups I do.

quote:

As to the virus itself, the screensaver contains the Win95.Hybris.Gen.Dr variant - a virus generator. When run, it slaps a few more generators (Win95.Hybris.Gen variant) into other files, which then proliferate the virus itself (Win95.Hybris) into other random files.


quote:

Email version:

English:

From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!

Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr
or dwarf4you.exe

The email also comes in French, Spanish and Portuguese. If you visit newsgroups, you may want to check out the this link as they have a sample of the newsgroup item as well. http://vil.mcafee.com/dispVirus.asp?virus_k=98873&

It is rated as a medium risk.



Registered: Jan 2000  |  IP: Logged
Saltah'na
Chinese Canadian, or 75% Commie Bastard.
Member # 33

 - posted      Profile for Saltah'na     Send New Private Message       Edit/Delete Post   Reply With Quote 
So this means that if you simply open the message and not the attachment I will be fine, right?

And does anyone have any info on the new Anna Kournikova JPEG virus?

------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."

[This message has been edited by Tahna Los (edited February 13, 2001).]


Registered: Mar 1999  |  IP: Logged
Nim
The Aardvark asked for a dagger
Member # 205

 - posted      Profile for Nim     Send New Private Message       Edit/Delete Post   Reply With Quote 
Funny you said that, I thought this thread was about that, and then YOU said it. My office got notice of it by colleagues yesterday.

------------------
Here lies a toppled god,
His fall was not a small one.
We did but build his pedestal,
A narrow and a tall one.

-Tleilaxu Epigram


Registered: Aug 1999  |  IP: Logged
TSN
I'm... from Earth.
Member # 31

 - posted      Profile for TSN     Send New Private Message       Edit/Delete Post   Reply With Quote 
I heard about the Snow White one over a month ago...


Subject: Virus alert and such..
Date: Fri, 05 Jan 2001 01:05:18 +1100
From: ***
To: ***

Oi,
I figure you can all work this out for yourselves and that it's prolly rather old, everthing considered.. But -I- only just received it, and I know a friend of mine was going to send it around.. So.. take a look below.

Emails may arrive from an INFECTED user in this format:

From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file

(Found all this at http://vil.nai.com/villib/dispvirus.asp?virus_k=98873,
thanks to MrC. )

Virus Name
W32/Hybris.gen@M

Aliases
dwarf4you.exe
Hybris
I-Worm.Hybris
I-Worm.Hybris.b
Snowhite and the Seven Dwarfs
TROJ_HYBRIS.A
W32/Hybris.gen.dll@M
W32/Hybris.plugin@M
W95.Hybris.Gen.dr
W95/Hybris.worm
Win98.Vecna.23040

Variants
None

Description Added
11/1/00 2:37:27 PM

Virus Information

Discovery Date: 10/16/00
Origin: South America
Length: 25,088 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Minimum Engine: 4.0.50
Minimum Dat: 4101
DAT Release Date: 10/25/2000


Virus Characteristics
Update January 7, 2000:
Some infected users have mentioned witnessing a graphic of a "spiral" activated and cannot be closed or stopped. This spiral graphic is associated with one of the plugins for W32/Hybris and is launched by this Internet worm periodically. In order to close the spiral, a task or process manager tool must be used.

This is an Internet worm which can be received by email. Typically these messages will make reference to, "Snowhite and the Seven Dwarfs". If run, this worm modifies the WSOCK32.DLL file, after which, an attempt is made to mail a copy of the worm to all mail recipients whenever email messages are sent out.

AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.

This Internet worm downloads encrypted update components from an Internet web site, most likely it is the author's site. This worm downloads encrypted components similar to the method first used by W95/Babylonia.

Emails may arrive from an infected user in this format:

From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file


Symptoms
Mail recipients claiming they received an attachment from you when one was never sent

Method Of Infection


When this Internet worm is launched, it downloads a file named INDEX.TXT from the hosting site. This file contains a list of additional files that the worm is to also download for use. On November 13 2000, the site was still operational and contained the following update component files:

HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT


As of November 20, 2000, the site hosting the virus was taken down, however, the virus continues to download plugins from alt.comp.virus.
As of November 21, 2000, a new plugin is being distributed that will enable W32/Hybris to infect PE files in a non-repairable way. The 4108 DAT set is
required to detect these infected files.


Executing the worm writes a modified version of the WSOCK32.DLL file to the WINDOWS SYSTEM directory. This file goes by an extensionless filename made up of 8 random characters. A line is created in the WININIT.INI file to rename this, newly created, file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system
is booted. The modified WSOCK32.DLL file attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to all mail recipients whenever email messages are sent out.

This Internet worm posts update details to a newsgroup named alt.comp.virus. The message posts is a communication message to the running Internet worm on
hosts to perform self-updates.

The format of the newsgroup posted message is as follows:

anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: [email protected]
From:
Author-Address: anonymous anon lcs mit edu
Subject: http [44 character alpha code]
Mail-To-News-Contact: [email protected]
Organization: [email protected]
Newsgroups: alt.comp.virus
Lines: 46

KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****


Removal Instructions
Use specified engine and DAT files for detection and removal.

The WSOCK32.DLL file must be restored from backup. This can be done by:

Windows 98
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the
Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts

Windows95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D:
is your CD-ROM drive

------------------
My new year's resolution is the same as last year's: 1024x768.

[This message has been edited by TSN (edited February 13, 2001).]


Registered: Mar 1999  |  IP: Logged
Teelie
Senior Member
Member # 280

 - posted      Profile for Teelie     Send New Private Message       Edit/Delete Post   Reply With Quote 
The jpeg is a VBS virus and no, unless you read the attachment, you can't be infected by most virus emails. There are some simply the email is infected but there are not many.

I also only got the Snowwhite virus the other day but already knew of it's true content. I wouldn't open something like that anyways (pornographic email from a strange address? Sorry only those I know )

quote:
Details:
----------------
Name: VBS.SST.A
Aliases: SST, Kalamar , Lee-O
Type: An encrypted script worm
Spreading Rountine: Microsoft Outlook
Detection added: February 12, 2001


Description:
---------------
This is an encrypted script worm. The worm decrypts its code and then executes itself.
The decrypted code then copies the worm to a file named "AnnaKournikova.jpg.vbs" in the system directory. This file is then attached to emails that the worm sends to addresses in the Outlook address book.

An infected message will have the following characteristics:

Subject : Here you have, ;0)
Body : Hi:
Check This!
Attachments : AnnaKournikova.jpg.vbs

This worm disguises itself as a jpeg graphic of the Russian tennis player, Anna Kournikova.

The worm makes changes to the Registry, creating an entry called
HKCU\software\OnTheFly.


Payload:
-------------
On the 26th of January the worm attempts to connect to a website in the Netherlands, www.dynabyte.nl


If you have it, click this. It's an antivirus file specifically designed for it.


Registered: Jan 2000  |  IP: Logged
Lee
I'm a spy now. Spies are cool.
Member # 393

 - posted      Profile for Lee     Send New Private Message       Edit/Delete Post   Reply With Quote 
Shit. I got this one today. Well, actually, I didn't - our antivirus caught it.

------------------
"I rather strongly disagree, even if I share the love of Dick. Speaking of which, that would be the most embarrasing .sig quote ever, so never use it."

- Simon Sizer, 23/01/2001


Registered: Jul 2000  |  IP: Logged
PsyLiam
Hungry for you
Member # 73

 - posted      Profile for PsyLiam     Send New Private Message       Edit/Delete Post   Reply With Quote 
Not to state the bleedingly obvious, but if you open attachments contained in e-mails received from people you've never heard of, then you're a moron. Jeez, these pop up every few months, and people STILL think that complete strangers are sending them dirty pics/rude jokes/tennis stars just out of kindness.

And I thought the number of virus' you could receive simply from opening an e-mail was infintesimally tiny. And that they usually only worked on particular e-mail programs, as they exploited security holes. And that updates to avoid them were nearly always available.

------------------
"And Mojo was hurt and I would have kissed his little boo boo but then I realized he was a BAD monkey so I KICKED HIM IN HIS FACE!"
-Bubbles


Registered: Mar 1999  |  IP: Logged
TSN
I'm... from Earth.
Member # 31

 - posted      Profile for TSN     Send New Private Message       Edit/Delete Post   Reply With Quote 
Well, from what I understand, the VBS ones work w/o opening the attachment. But they only exploit MS Outlook.

------------------
My new year's resolution is the same as last year's: 1024x768.


Registered: Mar 1999  |  IP: Logged
MsChris
Member
Member # 445

 - posted      Profile for MsChris     Send New Private Message       Edit/Delete Post   Reply With Quote 
Yup - I got that one at work multiple times on two seperate occassions. You don't have to open the attachment...it will forward itself anyway. It doesn't do any permenant damage, but the server gets locked up.

Image everyone at work with their work email addy's - everyone's email addy lists are standard at first with only work addy's. This damned thing multiplied - worse than the snowball effect. Some of my co-workers got the virus sent to them 300 times. It was bouncing off the walls. It took two days for the system admins to get the virus out of the server.

Rather funny when it was all over.

------------------
Awww...He ate my cookie!


Registered: Nov 2000  |  IP: Logged
Teelie
Senior Member
Member # 280

 - posted      Profile for Teelie     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
And I thought the number of virus' you could receive simply from opening an e-mail was infintesimally tiny. And that they usually only worked on particular e-mail programs, as they exploited security holes. And that updates to avoid them were nearly always available.

Fairly true, although a) how many of the average user are smart enough to upgrade patches b) and how many of said people use OutLook Express, Eudora Light, etc those that normally get it?

The number isn't tiny but it isn't a signifcant one either. I've heard of a very few than can infect other forms of email besides those POP ones but I think you'd have to have some kind specific setting or something for those to infect you. I might be thinking of something else entirely though too.


Registered: Jan 2000  |  IP: Logged
Saltah'na
Chinese Canadian, or 75% Commie Bastard.
Member # 33

 - posted      Profile for Saltah'na     Send New Private Message       Edit/Delete Post   Reply With Quote 
Speaking of Viruses, I just found out that my HD was infected with the BackDoor SubSeven virus. Fortunately for me, my virus scan did a weekly check and managed to detect it before it did any serious damage. How it got in there is beyond me.

------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."


Registered: Mar 1999  |  IP: Logged
Teelie
Senior Member
Member # 280

 - posted      Profile for Teelie     Send New Private Message       Edit/Delete Post   Reply With Quote 
Must've snuck in on you through a downloaded file. That or someone stuck it there.
Registered: Jan 2000  |  IP: Logged
Saltah'na
Chinese Canadian, or 75% Commie Bastard.
Member # 33

 - posted      Profile for Saltah'na     Send New Private Message       Edit/Delete Post   Reply With Quote 
Must be that someone stuck it there. I've downloaded many things from mostly corporate sites. Unless their servers were corrupted with the Sub-Seven virus.

------------------
"My Name is Elmer Fudd, Millionaire. I own a Mansion and a Yacht."
Psychiatrist: "Again."


Registered: Mar 1999  |  IP: Logged
   

Quick Reply
Message:

HTML is enabled.
UBB Code™ is enabled.

Instant Graemlins
   


Post New Topic  New Poll  Post A Reply Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


© 1999-2024 Charles Capps

Powered by UBB.classic™ 6.7.3