Snow white Virus worse than the lovebug

Lord Khan · 24-04-2001 7:15pm #1

Not exactly new .. discovered in september ... but it seems to be spreading fast now.

I got it emailed yesterday but deleted it straight away. Just talking to OctaviaN
on irc and he got it yesterday ... computer was completely screwed over and he just finished re-installing everything.

From: Hahaha [hahaha@sexyfun.net] Subject: Snowhite and the Seven Dwarfs - The REAL story!

Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe

snipped this from SARC

<font face="Verdana, Arial" size="2">
When the worm attachment is executed, the Wsock32.dll file is modified or replaced. Once the worm has infected wsock32.dll, it has the abilty to monitor the Internet connection as well as incoming and outgoing email traffic. The worm then scans for email addresses. When an email address is detected whether on an Internet site or in email being sent or received, the worm waits for a period of time and then sends an infected message to the detected address.

The worm attempts to connect to the alt.comp.virus newsgroup. If it connects successfully, then the worm uploads its own plug-ins to this newsgroup in an encrypted form. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if the plug-ins are present. If newer versions of the plug-ins are found, the worm downloads them and updates its behavior.

One of the plug-ins for W95.Hybris.gen generates a spiral image. Upon execution, the plug-in initially loads OpenGL libraries which are used to draw a large black and white spiral image. It also registers itself as a service; this prevents it from being displayed in the Close Programs dialog box. </font>

this is much more intelligent or are least sufficated then the simple lovebug, but doesn't seem to do a large amount of damage.

[This message has been edited by Lord Khan (edited 24-04-2001).]

yossarin · 24-04-2001 8:18pm

i got that & thought is was from my sister (her mail is hahaha@asdasdf) - its a bítch to get rid of and I'm still recovering.
its binary - this ain't no vb script

- a good (free! - best of all

http://antivirus.cai.com/

you gotta register with them, buts its a small price to pay for free stuff

satchmo · 25-04-2001 3:26pm

yeah, it's been around TCD for a few weeks now too.

Lord Khan · 25-04-2001 11:44pm

yeah ... problem is ... it's start to show up in UL now ... and most people here weren't smart enough not to open the ILOVEYOU virus files.

so I'm not looking forward to the future here ... the part I hate is the whole ... part of it scanning web pages for email addresses

yossarin · 27-04-2001 12:39pm

its called hybris, or W95.Hybris.gen
the page Lord Khan is quoting:
http://service1.symantec.com/sarc/sarc.nsf/html/W95.Hybris.gen.html
for more on how it spreads.
it seems to be the usual mix of putting refences to itself all over the place in your system - it also infects your executables, which is annoying as hell.

Cr8or · 29-04-2001 10:56am

I was sent that joke.exe but me not trusting exe files i deleted the mail :P

hmmm

Jademan · 29-04-2001 7:27pm

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBRIS.B

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBRIS.B&VSect=T

The above may also be useful.

nesf · 03-05-2001 9:05am

Got it about 3 weeks ago, but I was drunk an instead of deleting it I forwarded it to alot of my mates with a warning in the title.

All those not using web based email accounts were a little ****ed...

Snow white Virus worse than the lovebug

Comments