HACKETT-L Archives

Archiver > HACKETT > 2001-02 > 0982107312


From: Howard Johnston <>
Subject: Re: [HACKETT-L] warning: don't open the Snow White story!!
Date: Tue, 13 Feb 2001 16:35:12 -0700
References: <3A8800EC.6BD76815@cableone.net>


Kim --

Thanks for posting this virus warning. I've noticed that it certainly has been getting around!

It certainly is a good reminder to upgrade your anti-virus program.


Howard Johnston

Kim Pollard wrote:

> I'm sure all of you know this already, but I wanted to warn you if you
> didn't. The Snow White story that has been passed from HAHAHA is
> infected with a virus in the attactment Dwarf4U. Get rid of it fast.
>
> If I have passed this on I am truely sorry. Be sure to rid it from your
> deleted folder too.
>
> Kim
> I received this wriet up and thought it was interesting.
>
> Symantec
> AntiVirus Research Center (SARC)
>
> http://www.symantec.com/avcenter
>
> W95.Hybris.Plugin
>
> Discovered on: December 21, 2000
> Last Updated on: January 25, 2001 at 12:28:33 PM PST
>
> W95.Hybris.plugin is a generic detection for any of the encrypted
> plug-ins that are downloaded by the W95.Hybris.gen
> worm.
>
> Category: Worm
>
> Virus Definitions: December 21, 2000
>
> Threat Assessment:
>
> Wild:
> High
> Damage:
> Low
> Distribution:
> High
>
> Wild:
>
> Number of infections: 50 - 999
> Number of sites: More than 10
> Geographical distribution: Medium
> Threat containment: Moderate
> Removal: Moderate
>
> Technical description:
>
> After infecting a system, the W95.Hybris.gen worm attempts to connect to
> the newsgroup alt.comp.virus. If the worm
> connects successfully, it does the following:
>
> 1. Uploads its own encrypted plug-ins to this newsgroup.
> 2. Goes through the subject headers of the newsgroup messages,
> looks for other attached plug-ins, and tries to
> match a specific format. The subject header will specify the
> version number of the attached plug-in.
> 3. If a newer version of a plug-in is found, the worm downloads the
> more recent module and updates it's behavior.
>
> NOTE: There are numerous plug-ins available, and they have different
> characteristics. The most common one displays a
> large spiral that covers the Windows desktop and prevents you from using
> Windows. Another plug-in has similar behavior,
> but displays a solid black circle.
>
> The plug-ins may do one or more of the following:
>
> Generates a spiral image. Depending on system date and time
> (September 16 and 24, and on 59 minutes of each
> hour starting in 2001), the spiral image file is run. Upon
> execution, this plug-in initially loads OpenGL libraries that
> are used to display a large black and white spiral image. It also
> registers itself as a service, which prevents the
> process from being displayed in the Close Program dialog box.
> Infects DOS executable programs. The DOS .exe infection is a fairly
> simple dropping technique. The virus code is
> appended to the end of the file with a small 16-bit dropper
> routine. This routine creates a temporary file with an .exe
> extension in the \Temp folder, and then executes it. After that,
> the routine deletes the temporary executable. This
> infects the Wsock32.dll file with the worm.
> Infects PE executable programs. The PE executable has a much more
> complicated file infection routine. Only large
> PE files that have a code section long enough will be infected. The
> virus infection plug-in packs the original code
> area and overwrites it, if it will fit in the same place. This
> complicated antiheuristic infection technique is difficult (but
> not impossible) to repair. Currently SARC detects this plug-in as
> W95.Hybris.F. A removal tool has been created
> to remove this plug-in. Click here to obtain the W95.HybrisF fix
> tool.
> Infects all .zip and .rar archives on all available drives from C:
> to Z:. While infecting the .zip and .rar files, the worm
> renames .exe files in the archive to .ex$ extensions, and adds its
> copy of the worm to the archive with a .exe
> extension (this is the companion method of infection).
> Sends messages with encoded plug-ins to the alt.comp.virus
> newsgroup, and then gets new plug-ins from there.
> Spreads the worm to remote computers that are infected with the
> Backdoor.SubSeven Trojan. The plug-in detects
> such computers on the Web, and by using SubSeven commands, uploads
> a copy of the worm to the SubSeven
> infected computer.
> Encrypts worm copies with polymorphic encryption loop before
> sending the copy to others as an email attachment.
>
> Removal instructions:
>
> General removal instructions:
>
> 1. Run LiveUpdate to make sure that you have the most recent virus
> definitions.
> 2. Make sure that Norton AntiVirus is set to scan all files.
> 3. Restart the computer in Safe mode (Windows 95/98/Me).
> 4. Run a full system scan.
> If Norton AntiVirus detects W32.HybrisF, reboot into Normal
> mode and download and run the
> W95.HybrisF fix tool. This tool will repair any Windows
> executable files that have been infected by the
> W32.HybrisF.plugin.
> If Norton AntiVirus detects an infection other than
> W32.HybrisF, choose to repair any infected files. If
> Norton AntiVirus cannot repair the files, choose to delete
> them.
> 5. When the scan is finished, reboot into Normal Mode.
>
> Removal instructions for the black and white spiral or black circle:
> The spiral or circle loads from the run= line of the Win.ini file. In
> most cases, because the spiral will prevent you from
> opening programs, you need to:
>
> 1. Run LiveUpdate and run a full system scan.
> 2. Restart the computer in Safe mode.
> 3. Make sure Windows is set to show all files.
> 4. Remove the reference to the plug-in from the Run line of the
> Win.ini file.
> 5. Find and delete the plug-in itself.
>
> To update an scan:
>
> 1. Run LiveUpdate to make sure that you have the latest virus
> definitions.
> 2. Run a full system scan.
>
> To restart the computer in Safe mode:
>
> Windows 95:
> 1. Exit all programs.
> 2. Click Start, and then click Shut Down. The Shut Down
> Windows dialog box appears.
> 3. Click Restart, and then click OK.
> 4. When "Starting Windows 95..." appears on the screen, press
> F8. The Windows 95 Startup Menu
> appears.
> 5. Press the number that corresponds to Safe mode, and then
> press Enter. Windows will start in Safe mode.
> Windows 98:
> 1. Click Start, and then click Run.
> 2. Type msconfig and then click OK. The System Configuration
> Utility dialog box appears.
> 3. Click Advanced on the General tab.
> 4. Check Enable Startup Menu, click OK, and then click OK
> again.
> 5. Exit all programs.
> 6. Click Start, and then click Shut Down. The Shut Down
> Windows dialog box appears.
> 7. Click Restart, and then click OK. The computer restarts.
> 8. When the Windows 95 Startup Menu appears, press the number
> that corresponds to Safe mode, and then
> press Enter. Windows will start in Safe mode.
>
> To set Windows to show all files:
>
> 1. Start Windows Explorer.
> 2. Click the View menu (Windows 95/98) or the Tools menu (Windows
> Me), and then click Options or Folder
> Options.
> 3. Click the View tab, and uncheck, if necessary, Hide file
> extensions for known file types.
> 4. Click Show all files and click OK.
>
> To edit the Win.ini file:
>
> 1. Click Start, and then click Run.
> 2. Type sysedit and then click OK.
> 3. Click the title bar of the Win.ini file.
> 4. In the [windows] section, locate the Run= line, and note what
> follows the = sign. For example, you may see:
>
> run=C:\Windows\System\amiaamia.exe
>
> Write down the file name, for example, amiaamia.exe.
>
> 5. Place the cursor to the right of the = sign and delete the text
> that follows it. When finished, it should look like:
>
> run=
>
> 6. Click the File menu, and then click Exit. Click Yes when
> prompted to save changes.
>
> To delete the plug-in file:
>
> 1. Click Start, point to Find, and then click Files or Folders.
> 2. Make sure that Look in is set to (C:) and that Include
> subfolders is checked.
> 3. In the Named box, type the file name that you wrote down in step
> 7.
> 4. Click Find Now.
> 5. When the file is found, select it, press Delete, and then click
> Yes to confirm.
> 6. Restart the computer in normal mode.
>
> NOTE: The file name that is referred to in step 7 is an example only.
> The plug-in that makes the entry in the Win.ini file
> creates a somewhat random file name. (It is not completely random, as
> multiple cases of the same file name have been
> reported.) The file name will usually consist of eight letters with the
> .exe extension. The name consists of a sequence of four
> letters which are then repeated. For example:
>
> Gbpkgbpk.exe
> Aboaaboa.exe
> Enpeenpe.exe
> Agaiagai.exe
>
> NOTE: For Windows 98 users only, if you used the Microsoft System
> Configuration Utility to enable the startup menu,
> then you can disable it at this time. Please follow these steps to do
> so:
>
> 1. Click Start, and then click Run.
> 2. Type msconfig and then click OK. The System Configuration
> Utility dialog box appears.
> 3. Click Advanced on the General tab.
> 4. Uncheck Enable Startup Menu, click OK, and then click OK again.
> 5. Restart the computer.
>
> If Norton AntiVirus continues to detect the plug-ins:
> If NAV continues to detect the plug-ins after the previous removal steps
> have been followed, please do the following:
>
> NOTE: You must be using NAV 5.0 or later.
>
> 1. Restart the computer in Safe mode.
> 2. Click Start, point to Find, and then click Files or Folders.
> 3. Make sure that Look in is set to (C:) and that Include
> subfolders is checked.
> 4. In the Named box, type the following and then click Find Now:
>
> wsock32.dll
>
> Windows will find the file and display it in the lower pane of the
> Find dialog box.
>
> 5. Right-click the Wsock32.dll file, and then click Copy.
> 6. Close the Find: All Files window.
> 7. Right-click the Windows desktop (or the folder of your choice)
> and then click Paste.
> 8. Start Norton AntiVirus and quarantine the new copy of the
> wsock32.dll and submit it to SARC for analysis using
> Scan and Deliver.
> 9. When you receive the automated reply, If SARC indicates that the
> file is not infected, then post a message to the
> Symantec Online Technical Support Virus Information discussion
> group at the following location:
>
> http://servicenews.symantec.com/cgi-bin/browse.cgi?group=symantec.support.generic.virus.general
>
> Please include the SARC tracking number as well as an explanation
> of what was done to remove the plug-in.
>
> Write-up by: Richard Cave


This thread: