Gal - sometime ago, your 'puter went sick. You described it as a spiral on the screen. Well, guess what - you'd (or rather it'd) been infected by the W95.Hybris.gen virus. I found this write-up while I was searching for Anna Kournikova. Seems you might have opened an attachment entitled something like one of these:

anpo porn(.scr atchim.exe branca de neve.scr dunga.scr dwarf4you.exe enano porno.exe joke.exe midgets.scr sexy virgin.scr

I don't think I'll go any further.............

-- Anonymous, February 13, 2001

Answers

....so that's Galaxy's reputation in tatters, not to mention your own Screach!
Did you manage to find that celebrity porn site then?

-- Anonymous, February 13, 2001

Oh the shame!!!!! I`ll never be able to show my face on here again!!! I blame it on my confused upbringing, and Binns! The first visit to Father Christmas that I can remember was to Binns, and it was definately Santa Claus and the Seven Dwarfs!!! No really, I mean it - no mention of reindeer or anything (which, in view of the circumstances of this posting, can only be a good thing!)

However, I definately remember an e mail like that coming in, well you would, wouldn`t you, but, hand on heart, I didn`t open it (I thought it was from ITK (;o))! Only joking! I`m dead wary of any attachments.

I`m delighted that someone else has found it though - I was beginning to think I was losing my marbles. BTW, can`t get the link to open, and I really would like to know how the virus works.

Yours sincerely

-- Anonymous, February 13, 2001

Ah - maybe it's an "internal only " website. Anyway, it's supposed to be the 2nd most prolific virus (along with it's variants).

Here's a (long) description from the site:

W95.Hybris.gen

Discovered on: September 25, 2000

Printer-friendly version

W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages.

The email message or subject may include the text "Snow White and the Seven dwarves," and the attachment may have one of several different names, including, but not limited to:

anpo porn(.scr atchim.exe branca de neve.scr dunga.scr dwarf4you.exe enano porno.exe joke.exe midgets.scr sexy virgin.scr

Also Known As: W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M, I-Worm.Hybris

Category: Worm

Virus Definitions: September 25, 2000

Threat Assessment:

Wild: High Damage: Low Distribution: High

Wild:

Number of infections: 50 - 999 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate

Distribution:

Name of attachment: Random with EXE or SCR file name extension

Technical description:

When the worm attachment is executed, the Wsock32.dll file is modified or replaced. This enables the worm to attach itself to all outbound email. The email attachments have random names, but the file extension is either .exe or .scr.

The worm attempts to connect to the alt.comp.virus newsgroup. If it connects successfully, then the worm uploads its own plug-ins to this newsgroup in an encrypted form. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if the plug-ins are present. If newer versions of the plug-ins are found, the worm downloads them and updates its behavior.

One of the plug-ins for W95.Hybris.gen generates a spiral image. Upon execution, the plug-in initially loads OpenGL libraries which are used to draw a large black and white spiral image. It also registers itself as a service; this prevents it from being displayed in the Close Programs dialog box. For additional information on this, see the document W95.Hybris.plugin.

This worm also has a plug-in that infects executable programs. The DOS EXE infection is fairly simple dropping technique. The virus code is appended to the end of the file with a small 16-bit dropper routine. This routine creates a temporary file with an .exe extension in the TEMP folder and executes it. It then deletes the temporary executable. In this way, Wsock32.dll is infected with the actual worm body. The PE executables have a much more complicated file infection process. PE files become infected only if they have a long enough code section. The virus infection plug-in packs the original code area and overwrites it if it will fit in the same place. This complicated antiheuristic infection technique is difficult but possible to repair.

If Wsock32.dll is being used by the system, the worm cannot modify it. In this situation, the worm will add a registry entry to one of the following subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

It always alternates between these two keys as the worm spreads from one computer to another. The worm hooks onto the following exports of Wsock32.dll:

send() recv() connect()

Whenever you send email, the worm sends a second message to the same person, attaching a copy of itself using a randomly generated file name.

Removal instructions:

To remove the W95.Hybris.gen worm, follow these steps:

1. Run LiveUpdate to ensure that you have the most recent virus definitions. They must be dated September 25, 2000, or later. 2. Start NAV, and perform a full system scan. Make sure that NAV is set to scan all files. When an infected file is detected, do the following: When Wsock32.dll is detected as infected, choose Repair. In most cases, NAV can repair this file. If NAV cannot repair the file, then you will need to replace it from the Windows installation CD. If you need to replace this file, see the instructions in the next section.

NOTE: If NAV cannot repair Wsock32.dll when Windows is in normal mode, then try to repair it in Safe Mode. This is particularly true if you are connected to a network; in this case you may see a "sharing violation" message when NAV attempts the repair. To try this, restart the computer in Safe Mode. If this is not successful, then you must extract a new copy as explained in the next section. Delete all other detected files; their contents have been overwritten by the worm. You must restore them from backups or, in the case of application software, reinstall the programs. 3. If you see a rotating spiral on the Windows desktop, you must follow additional steps to remove it. See the section To remove the rotating spiral.

To extract a new copy of the Wsock32.dll file: This is necessary only if Wsock32.dll cannot be repaired. You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system.

NOTES: Have the Windows installation CD available. When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type

extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder. For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605. As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation or the document Files required for Windows to function are missing or corrupted.

1. Do one of the following: Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window appears. Windows Me users: Click Start, point to Programs, point to Accessories, and click MS-DOS Prompt. A DOS window appears. 2. Type the command that applies to your operating system: If you are using Windows 98, then type the following and press Enter:

extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system If you are using Windows 95, then type the following and press Enter:

extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system 3. If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter.

To remove the rotating spiral: W95.Hybris.Gen uses several different plug-ins. The most common is a large, rotating spiral. If you see this on the Windows desktop, follow the instructions in the document W95.Hybris.Plugin.

-- Anonymous, February 13, 2001

Ooooooooookay!!! Didn`t understand any of that! Well not much anyway.

What I don`t understand, is that if my computer was infected - which it obviously was, surely it must also have sent the virus to some of you on the BBS, after all, quite a lot of you are in my address book. The black and white spiral would have been instantly recognised from my description of it a while back. How very strange.

In the end, I think I told you, that we removed everything, saved nothing, and reinstalled Windows 98. That then allowed us to re- register with McAfee and keep the Virus Scan up to date, and to re- install our Firewall. On reading the description of the virus on McAfee, one of the effects is that it prevents you from accessing Virus Protection sites. Anyway, I am assuming that it has gone now - tell me that it can`t still be hiding somewhere, say for instance in my printer? {:o!

-- Anonymous, February 13, 2001

Gal - somebody tried to infect me on my Genie address. Fortunately, when I opened the mail, I saw an e-mail from "Hahaha". I think the subject was "Snow White and the Seven Dwarfs" and had no date on it.

As I rarely use that e-mail address for anything other than convenience, it isn't known to many outside the BBS, so I was convinced it had come from a source on here, but didn't know who. Now I have a very strong suspicion! Fortunately, as it looked so odd, I binned it without opening the e-mail.

The moral of this is to be very careful when opening e-mails - especially those with attachments. As a matter of course, when receive any attachment, I always detach it first then virus check it with Norton AV. Fortunately, we don't use any of the MS Office products here at work - we use Lotus - so I believe many of the e-mail type viruses are less likely to be passed on without the likes of Outlook address book - I hope!

I suggest you try to find a way of isolating your attachments (ooh, sounds bliddy painful!) and checking for viruses before opeing them with an application or running an .EXE

-- Anonymous, February 13, 2001

Watch out Gal, it could be lurking between your bed-sheets!
Then of course there's always your 'detached attachments' to worry about - is that not an oxymoron?

-- Anonymous, February 13, 2001

Well my apologies if we were the cause of any problems! As I said, we were totally unaware of the virus until we got the whirling spiral - by which time the computer was well and truly b@ll@cksed! (To coin a phrase).

VERY, VERY careful about attachments now. Only open them if I am expecting photographs (usually dogs, not dwarfs!), and they are from a recognised source..

Spookily enough, I was just showing Yelli this thread when she came in from work, and she said that one of her associates had just received that very e mail through on his computer - the `ha,ha,ha` one. I`ve checked with the people I have e mailed since we got the computer up and running again after its nervous breakdown, and none of them seem to have received it - phew!!! Sent them all the relevant information anyway, forewarned is forearmed, and all that.

I find it all very creepy! And yes Clarky, I shall be checking under the bed before I go to sleep! (;o)

-- Anonymous, February 13, 2001

Did you find anything under the bed Gal (that you want to tell us about, that is??).

-- Anonymous, February 13, 2001

just ONE of the many benefits of owning a Mac....

*smug grin *

; @ ))

-- Anonymous, February 13, 2001

Min - we've all heard aboot ye and your dirty Mac. Please have some respect and don't mention it again - otherwise Rik will want one ;-)

-- Anonymous, February 14, 2001