RootsWeb: HACKETT-L [HACKETT-L] warning: don't open the Snow White story!!

HACKETT-L Archives

Archiver > HACKETT > 2001-02 > 0981991661

From: Kim Pollard <>
Subject: [HACKETT-L] warning: don't open the Snow White story!!
Date: Mon, 12 Feb 2001 09:27:41 -0600

I'm sure all of you know this already, but I wanted to warn you if you didn't. The Snow White story that has been passed from HAHAHA is infected with a virus in the attactment Dwarf4U. Get rid of it fast. If I have passed this on I am truely sorry. Be sure to rid it from your deleted folder too. Kim I received this wriet up and thought it was interesting. Symantec AntiVirus Research Center (SARC) http://www.symantec.com/avcenter W95.Hybris.Plugin Discovered on: December 21, 2000 Last Updated on: January 25, 2001 at 12:28:33 PM PST W95.Hybris.plugin is a generic detection for any of the encrypted plug-ins that are downloaded by the W95.Hybris.gen worm. Category: Worm Virus Definitions: December 21, 2000 Threat Assessment: Wild: High Damage: Low Distribution: High Wild: Number of infections: 50 - 999 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Technical description: After infecting a system, the W95.Hybris.gen worm attempts to connect to the newsgroup alt.comp.virus. If the worm connects successfully, it does the following: 1. Uploads its own encrypted plug-ins to this newsgroup. 2. Goes through the subject headers of the newsgroup messages, looks for other attached plug-ins, and tries to match a specific format. The subject header will specify the version number of the attached plug-in. 3. If a newer version of a plug-in is found, the worm downloads the more recent module and updates it's behavior. NOTE: There are numerous plug-ins available, and they have different characteristics. The most common one displays a large spiral that covers the Windows desktop and prevents you from using Windows. Another plug-in has similar behavior, but displays a solid black circle. The plug-ins may do one or more of the following: Generates a spiral image. Depending on system date and time (September 16 and 24, and on 59 minutes of each hour starting in 2001), the spiral image file is run. Upon execution, this plug-in initially loads OpenGL libraries that are used to display a large black and white spiral image. It also registers itself as a service, which prevents the process from being displayed in the Close Program dialog box. Infects DOS executable programs. The DOS .exe infection is a fairly simple dropping technique. The virus code is appended to the end of the file with a small 16-bit dropper routine. This routine creates a temporary file with an .exe extension in the \Temp folder, and then executes it. After that, the routine deletes the temporary executable. This infects the Wsock32.dll file with the worm. Infects PE executable programs. The PE executable has a much more complicated file infection routine. Only large PE files that have a code section long enough will be infected. The virus infection plug-in packs the original code area and overwrites it, if it will fit in the same place. This complicated antiheuristic infection technique is difficult (but not impossible) to repair. Currently SARC detects this plug-in as W95.Hybris.F. A removal tool has been created to remove this plug-in. Click here to obtain the W95.HybrisF fix tool. Infects all .zip and .rar archives on all available drives from C: to Z:. While infecting the .zip and .rar files, the worm renames .exe files in the archive to .ex$ extensions, and adds its copy of the worm to the archive with a .exe extension (this is the companion method of infection). Sends messages with encoded plug-ins to the alt.comp.virus newsgroup, and then gets new plug-ins from there. Spreads the worm to remote computers that are infected with the Backdoor.SubSeven Trojan. The plug-in detects such computers on the Web, and by using SubSeven commands, uploads a copy of the worm to the SubSeven infected computer. Encrypts worm copies with polymorphic encryption loop before sending the copy to others as an email attachment. Removal instructions: General removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Make sure that Norton AntiVirus is set to scan all files. 3. Restart the computer in Safe mode (Windows 95/98/Me). 4. Run a full system scan. If Norton AntiVirus detects W32.HybrisF, reboot into Normal mode and download and run the W95.HybrisF fix tool. This tool will repair any Windows executable files that have been infected by the W32.HybrisF.plugin. If Norton AntiVirus detects an infection other than W32.HybrisF, choose to repair any infected files. If Norton AntiVirus cannot repair the files, choose to delete them. 5. When the scan is finished, reboot into Normal Mode. Removal instructions for the black and white spiral or black circle: The spiral or circle loads from the run= line of the Win.ini file. In most cases, because the spiral will prevent you from opening programs, you need to: 1. Run LiveUpdate and run a full system scan. 2. Restart the computer in Safe mode. 3. Make sure Windows is set to show all files. 4. Remove the reference to the plug-in from the Run line of the Win.ini file. 5. Find and delete the plug-in itself. To update an scan: 1. Run LiveUpdate to make sure that you have the latest virus definitions. 2. Run a full system scan. To restart the computer in Safe mode: Windows 95: 1. Exit all programs. 2. Click Start, and then click Shut Down. The Shut Down Windows dialog box appears. 3. Click Restart, and then click OK. 4. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears. 5. Press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode. Windows 98: 1. Click Start, and then click Run. 2. Type msconfig and then click OK. The System Configuration Utility dialog box appears. 3. Click Advanced on the General tab. 4. Check Enable Startup Menu, click OK, and then click OK again. 5. Exit all programs. 6. Click Start, and then click Shut Down. The Shut Down Windows dialog box appears. 7. Click Restart, and then click OK. The computer restarts. 8. When the Windows 95 Startup Menu appears, press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode. To set Windows to show all files: 1. Start Windows Explorer. 2. Click the View menu (Windows 95/98) or the Tools menu (Windows Me), and then click Options or Folder Options. 3. Click the View tab, and uncheck, if necessary, Hide file extensions for known file types. 4. Click Show all files and click OK. To edit the Win.ini file: 1. Click Start, and then click Run. 2. Type sysedit and then click OK. 3. Click the title bar of the Win.ini file. 4. In the [windows] section, locate the Run= line, and note what follows the = sign. For example, you may see: run=C:\Windows\System\amiaamia.exe Write down the file name, for example, amiaamia.exe. 5. Place the cursor to the right of the = sign and delete the text that follows it. When finished, it should look like: run= 6. Click the File menu, and then click Exit. Click Yes when prompted to save changes. To delete the plug-in file: 1. Click Start, point to Find, and then click Files or Folders. 2. Make sure that Look in is set to (C:) and that Include subfolders is checked. 3. In the Named box, type the file name that you wrote down in step 7. 4. Click Find Now. 5. When the file is found, select it, press Delete, and then click Yes to confirm. 6. Restart the computer in normal mode. NOTE: The file name that is referred to in step 7 is an example only. The plug-in that makes the entry in the Win.ini file creates a somewhat random file name. (It is not completely random, as multiple cases of the same file name have been reported.) The file name will usually consist of eight letters with the .exe extension. The name consists of a sequence of four letters which are then repeated. For example: Gbpkgbpk.exe Aboaaboa.exe Enpeenpe.exe Agaiagai.exe NOTE: For Windows 98 users only, if you used the Microsoft System Configuration Utility to enable the startup menu, then you can disable it at this time. Please follow these steps to do so: 1. Click Start, and then click Run. 2. Type msconfig and then click OK. The System Configuration Utility dialog box appears. 3. Click Advanced on the General tab. 4. Uncheck Enable Startup Menu, click OK, and then click OK again. 5. Restart the computer. If Norton AntiVirus continues to detect the plug-ins: If NAV continues to detect the plug-ins after the previous removal steps have been followed, please do the following: NOTE: You must be using NAV 5.0 or later. 1. Restart the computer in Safe mode. 2. Click Start, point to Find, and then click Files or Folders. 3. Make sure that Look in is set to (C:) and that Include subfolders is checked. 4. In the Named box, type the following and then click Find Now: wsock32.dll Windows will find the file and display it in the lower pane of the Find dialog box. 5. Right-click the Wsock32.dll file, and then click Copy. 6. Close the Find: All Files window. 7. Right-click the Windows desktop (or the folder of your choice) and then click Paste. 8. Start Norton AntiVirus and quarantine the new copy of the wsock32.dll and submit it to SARC for analysis using Scan and Deliver. 9. When you receive the automated reply, If SARC indicates that the file is not infected, then post a message to the Symantec Online Technical Support Virus Information discussion group at the following location: http://servicenews.symantec.com/cgi-bin/browse.cgi?group=symantec.support.generic.virus.general Please include the SARC tracking number as well as an explanation of what was done to remove the plug-in. Write-up by: Richard Cave

This thread:

[HACKETT-L] warning: don't open the Snow White story!! by Kim Pollard <>
- Re: [HACKETT-L] warning: don't open the Snow White story!! by Howard Johnston <>