The following Virus laden message, with the sender "Hahaha"
has been appearing very frequently on Australian mailing lists over
the last few days (I've received five different copies as of 6.30pm
Friday)
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Content-Type: application/octet-stream; name="sexy virgin.scr"
Content-Disposition: attachment; filename="sexy virgin.scr"
Attachment converted: Macintosh HD:sexy virgin.scr (????/----) (00014972)
The attachment to this message contains a virus . DELETE any
attachments that came with it WITHOUT OPENING THEM (variant names
exist for the attachments eg joke.exe, sexy virgin.scr
etc. Other names may appear at random )
This one is for real folks. It will only affect Windows machines.
Macintosh users are, as usual, immune, but may unwittingly spread the
infection.
The Symantec site
http://www.symantec.com/avcenter/venc/data/w32.hybris.gen.html has the
following advice:
When the worm
attachment is executed, the WSOCK32.DLL file will be modified or
replaced. This will give the worm the ability to attach itself to all
outbound email. The email attachment will have a random name but the
filename extension is either EXE or SCR).
The worm attempts to connect to the newsgroup alt.comp.virus. After it connects successfully, the worm uploads its own plug-ins in an encrypted form to this newsgroup. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if these plug-ins are indeed present. If a newer version of plug-ins is found, the worm downloads these modules and updates its behavior. For example, there are known modules that give the worm ability to infect compressed files like ZIP.
If WSOCK32.DLL is being used by the system, the worm will be unable to modify this file. Thus, in this situation, the worm will add a registry key to one of the following subtrees:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
It will always alternate between these two trees mentioned above as the worm spreads from one machine to another. The worm hooks on the following exports on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email to a person, the worm will also send out another email to the same person attaching a copy of itself using a randomly generated filename.
Removal:
Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files detected as W32.Hybris contain only the virus body and must be deleted.
The worm attempts to connect to the newsgroup alt.comp.virus. After it connects successfully, the worm uploads its own plug-ins in an encrypted form to this newsgroup. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if these plug-ins are indeed present. If a newer version of plug-ins is found, the worm downloads these modules and updates its behavior. For example, there are known modules that give the worm ability to infect compressed files like ZIP.
If WSOCK32.DLL is being used by the system, the worm will be unable to modify this file. Thus, in this situation, the worm will add a registry key to one of the following subtrees:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
It will always alternate between these two trees mentioned above as the worm spreads from one machine to another. The worm hooks on the following exports on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email to a person, the worm will also send out another email to the same person attaching a copy of itself using a randomly generated filename.
Removal:
Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files detected as W32.Hybris contain only the virus body and must be deleted.
Cheers
Rod
--
Rod Hagen
[EMAIL PROTECTED]
Hurstbridge, Victoria, Australia
WWW http://www.netspace.net.au/~rodhagen
Rod Hagen
[EMAIL PROTECTED]
Hurstbridge, Victoria, Australia
WWW http://www.netspace.net.au/~rodhagen
