| The message text - notice the "English" - always read: "Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter..." Below the information from the e-mail headers - in case you want to chase Mr. "Hahaha"! |
| No. | Time | From | Via / IP No. / Message ID |
| 65. | 2002.04.05 15:38:27 +1000 |
mail024.syd.optusnet.com.au 210.49.20.148 |
sunax1-b030.dialup.optusnet.com.au 211.28.19.30 200204050538.g355cQt05263@mail024.syd.optusnet.com.au |
| 64. | 2002.03.19 14:27:46 -0500 |
dc-mx03.cluster0.hsacorp.net 209.225.8.13 |
dc-mx03.cluster1.charter.net 24.196.215.211 auto-000024349108@dc-mx03.cluster1.charter.net |
| 63. | 2002.03.09 23:57:18 +0100 |
mta01ps.bigpond.com 144.135.25.133 |
hunter 144.135.25.84 200203092257.XAA07169@asser.fi.au.dk |
| 62. | 2002.03.05 19:57:39 -0500 |
granger.mail.mindspring.net 207.69.200.148 |
paalto-apx-1-156-148.penn.com 64.91.156.148 E16i3Gt-0006I6-00@granger.mail.mindspring.net |
| 61. | 2002.02.23 17:57:47 +1000 |
mta01bw.bigpond.com 139.134.6.78 |
bwmam02.mailsvc.email.bigpond.com 139.134.136.145 200202230711.IAA16099@asser.fi.au.dk |
| 60. | 2002.02.18 19:44:18 -0700 (MST) |
root@great.plains.net 206.168.65.1 |
cjkdavis 65.114.211.23 200202190244.TAA18364@great.plains.net |
| 59. | 2002.02.08 21:30:44 -0800 (PST) |
ados.com 206.58.217.128 |
Jim Carpenter - dialup-ras2-207.pdx.or.uspops.net 216.239.166.207 20020209053044.A7293344F0@ados.com |
| 58. | 2002.02.04 19:04:00 -0800 |
harrier.mail.pas.earthlink.net 207.217.120.12 |
pool0758.cvx8-bradley.dialup.earthlink.net 209.178.172.248 E16Xvtn-0005WN-00@harrier.prod.itd.earthlink.net |
| 57. | 2002.01.25 02:24:16 -0000 |
furao.ip.pt 195.23.132.13 |
HELO online 195.23.116.91 200201250136.CAA03233@asser.fi.au.dk |
| 56. | 2002.01.08 18:17:32 +0100 |
mail.g2a.net 208.160.90.22 |
default 206.157.175.7 200201081209781.SM00462@default |
| 55. | 2002.01.08 18:00:50 +0100 |
mail.g2a.net 208.160.90.22 |
default 206.157.175.7 200201081153531.SM00462@default |
| 54. | 2002.01.05 17:59:43 -0400 (AST) |
root@expert.xsn.net 209.91.246.2 |
oemcomputer (xsn56.xsn.net) 209.91.245.56 200201052159.RAA07369@expert.xsn.net |
| 53. | 2002.01.01 08:22:17 -0500 |
server6.servers.compuage.net 63.151.204.6 |
gmarcoux (unverified) 63.151.204.146 B0003005156@ |
| 52. | 2001.12.30 19:21:17 +0100 |
smtp1.ns.sympatico.ca 142.177.1.91 |
sr4z8k4 142.177.8.193 200112301821.TAA05062@asser.fi.au.dk |
| 51. | 2001.12.23 05:22:34 +0100 |
mail.unions-america.com 207.149.239.30 |
select 216.239.166.137 200112222113921.SM01184@select |
| 50. | 2001.12.12 11:57:26 -0800 |
sire.mail.pas.earthlink.net 207.217.120.182 |
216-224-155-106.thegrid.net 216.224.155.106 E16EFVN-0005fu-00@sire |
| 49. | 2001.12.08 08:42:13 +0100 |
apex.accessin.com.au 203.62.163.2 |
ibmbnh1676 (pm45.rock.accessin.com.au) 203.62.163.55 200112080831.QAA08553@apex.accessin.com.au |
| 48. | 2001.11.23 14:08:32 +0100 |
swan.mail.pas.earthlink.net 207.217.120.123 |
dialup-63.215.224.169.dial1.stamford1.level3.net 63.215.224.169 E167GKu-0005Dm-00@swan.prod.itd.earthlink.net |
| 47. | 2001.11.15 07:15:43 +0100 |
mail.netflash.net 209.47.77.247 |
mail.continuum.org - ESMTP id qoycjaaa 209.47.77.35 06300110908875@[209.47.77.35] |
| 46. | 2001.10.31 18:46:00 +0200 |
out2.prserv.net 32.97.166.32 |
(slip-129-37-40-73.il.us.prserv.net 129.37.40.73 20011031174532202053qo7le |
| 45. | 2001.10.26 00:06:03 +0200 |
mailrtr02.ntelos.net 216.12.0.102 |
pm3naxs13-157.access.naxs.com 216.98.93.157 200110252204.f9PM3nh28471@mailrtr02.ntelos.net |
| 44. | 2001.10.23 01:17:12 +0200 |
sirius.mlode.com 208.12.100.226 |
son-ts7-42.mlode.com 65.160.220.57 200110222317.BAA03180@asser.fi.au.dk |
| 43. | 2001.10.02 14:27:00 +0200 |
root@cliff.sbt.net 206.27.198.12 |
uswest (db1-205.sbt.net) 206.28.170.205 200110021226.HAA26612@cliff.sbt.net |
| 42. | 2001.09.27 18:39:35 +0200 |
epic.mail.pas.earthlink.net 207.217.120.181 |
lonnie (pm3c-143.bozeman.mcn.net) 63.74.220.143 200109271638.JAB24515@epic.mail.pas.earthlink.net |
| 41. | 2001.09.21 05:32:13 +0200 |
deimos.frii.net (root@deimos.frii.com) 216.17.128.2 |
oemcomputer (ras04.den.iras.frii.net) 199.182.92.182 200109210331.f8L3VZu80096@deimos.frii.net |
| 40. | 2001.09.21 04:46:05 +0200 |
mindy.sannauk.com (root@mail.sannauk.com) 65.163.160.129 |
ras167.sannauk.com 65.163.160.167 200109210251.VAA23986@mindy.sannauk.com |
| 39. | 2001.09.18 20:59:16 +0200 |
mailout6-1.nyroc.rr.com 24.92.226.177 |
computer (bgm-24-169-57-29.stny.rr.com) 24.169.57.29 200109181918.f8IJIKH21005@mailout6.nyroc.rr.com |
| 38. | 2001.09.09 15:37:23 +0200 |
relay06.indigo.ie 194.125.133.230 |
dublin.indigo.ie (HELO kennypj) 194.125.175.39 200109091316.PAA30781@asser.fi.au.dk |
| 37. | 2001.08.19 17:10:35 +0200 |
mail-01.cdsnet.net 63.163.68.51 |
63-164-167-8.mfr739dip.internetcds.com (HELO default) 63.164.167.8 200108191449.QAA24304@asser.fi.au.dk |
| 36. | 2001.08.16 16:59:05 +0200 |
smtp.pa.net 205.166.61.100 |
pavilion (duppp248.nwb1.perry.pa.net) 12.108.100.248 20010816151547.B4F124C83C@smtp.pa.net |
| 35. | 2001.08.04 23:47:54 +0200 |
iquest2.iquest.net 209.43.20.102 |
iq-col-as000-62.iquest.net (HELO arcompton) 209.43.59.62 200108042147.XAA02820@asser.fi.au.dk |
| 34. | 2001.07.19 06:14:19 +0000 |
mtiwmhc23.worldnet.att.net 204.127.131.48 |
computername 12.82.128.125 20010719061411.UYMS1777.mtiwmhc23.worldnet.att.net@computername |
| 33. | 2001.07.16 23:21:25 +1000 |
josanlaugh (144.135.24.69) mailin6.bigpond.com (juicer03.bigpond.com) 139.134.6.79 |
prem-p-144-134-72-6.mega.tmns.net.au 144.134.72.6 by bwmam01.mailsvc.email.bigpond.com (MailRouter V2.9g 8311/17990397) 200107161321.PAA06058@asser.fi.au.dk |
| 32. | 2001.07.15 08:26:34 +1000 |
mta01.mail.mel.aone.net.au (mta01.mail.au.uu.net) 203.2.192.81 |
oemcomputer (mta01.mail.mel.aone.net.au) 210.84.190.155 20010714222624.OOPC18810.mta01.mail.mel.aone.net.au@oemcomputer |
| 31. | 2001.07.01 01:08:25 +0200 |
qmailr@onramp.micoks.net 208.190.196.2 |
p88.micoks.net (HELO mcio) 208.190.198.97 200106302308.BAA32131@asser.fi.au.dk |
| 30. | 2001.06.30 19:06:57 +0200 |
computer (AC8C2BEF.ipt.aol.com) 172.140.43.239 |
tot-wn.proxy.aol.com 205.188.197.131 200106301706.f5UH6AF06987@tot-wn.proxy.aol.com |
| 29. | 2001.06.10 22:31:23 -0400 |
computer (mtiwmhc23.worldnet.att.net) 12.86.26.229 |
mtiwmhc23.worldnet.att.net 204.127.131.48 20010610202326.MLKT1777.mtiwmhc23.worldnet.att.net@computer |
| 28. | 2001.06.07 22:31:23 -0400 |
mail.never-enuff.net 209.158.10.123 |
mail.never-enuff.net 209.158.10.13 E158C3X-0004hR-00@mail.never-enuff.net |
| 27. | 2001.06.06 20:26:33 -0400 |
william-evenson (glad2.66.ejourney.com) 207.74.92.66 |
littlejoe.ejourney.com 207.74.92.10 200106070026.UAA19952@littlejoe.ejourney.com |
| 26. | 2001.05.30 00:20:18 -0500 |
oemcomputer (dialup-1-2.net.micro.com) 209.126.108.67 |
masquerade.net.micro.com 209.126.108.7 200105300520.AAA23922@masquerade.net.micro.com |
| 25. | 2001.03.31 10:30:07 -0900 |
oemcomputer (c171-p100.advertisnet.com) 216.176.171.100 |
mail.advertisnet.com 207.230.56.11 200104301618.f3UGIH137496@mail.advertisnet.com |
| 24. | 2001.04.21 10:30:07 -0900 |
fabio (interna20.interpla.net.co) 200.21.172.20 |
venus.interpla.net.co 200.21.20.82 200104211526.KAA26956@venus.interpla.net.co |
| 23. | 2001.03.31 10:30:07 -0900 |
homeuser unverified 209.82.28.35 |
design3.descon.com 209.82.28.4 B0000752365@design3.descon.com |
| 22. | 2001.03.31 05:41:10 -0800 (PST) |
1Cust169.tnt4.auburn-opelika.al.da.uu.ne 63.30.163.169 |
falcon.prod.itd.earthlink.net 207.217.120.74 200103311341.FAA12945@falcon.prod.itd.earthlink.net |
| 21. | 2001.03.30 22:15:14 +0800 (HKT) |
acunanan (info3-54.info.com.ph) 202.163.242.54 |
smtp2.info.com.ph 203.172.11.24 200103301415.f2UEFDt08341@smtp2.info.com.ph |
| 20. | 2001.03.29 12:47:35 -0500 |
linux873.dn.net 216.167.77.167 |
helo=Sharad 203.197.57.189 E14igWD-00041U-00@linux873.dn.net |
| 19. | 2001.03.23 13:08:02 -0600 (CST) |
mail.ala.net 204.251.239.243 |
joel (nas2-206-107-27-111.dlv.ala.net) 206.107.27.111 200103231908.NAA91202@mail.ala.net |
| 18. | 2001.03.19 15:53:55 +0000 |
mtiwmhc22.worldnet.att.net 204.127.131.47 |
stthomas 12.93.210.164 20010319155346.MXRG14541.mtiwmhc22.worldnet.att.net@stthomas |
| 17. | 2001.03.15 12:59:01 +0100 |
sisa.i-manila.com.ph 208.155.152.18 |
manila 203.167.26.125 98465752001@sisa.i-manila.com.ph |
| 16. | 2001.03.10 19:01:23 +1100 (EST) |
corinna.its.utas.edu.au 131.217.10.51 |
fuptxvyh (dialin127.hbt.utas.tassie.net.au) 203.57.208.127 200103100801.TAA09902@corinna.its.utas.edu.au |
| 15. | 2001.03.07 21:56:43 +0530 |
ddsl.net 202.9.145.10 |
eth.net 202.9.167.195 0a6804226160731CHNSPLP01@eth.net |
| 14. | 2001.03.06 21:24:23 -0800 (PST) |
mta6.snfc21.pbi.net 206.13.28.240 |
0016982627 206.170.4.103 0G9R00HWOGCCWC@mta6.snfc21.pbi.net |
| 13. | 2001.03.05 16:15:40 +0000 |
mtiwmhc27.worldnet.att.net 204.127.131.52 |
timcrain 12.76.34.31 20010305161530.UBNS27260.mtiwmhc27.worldnet.att.net@timcrain |
| 12. | 2001.02.28 17:57:17 -0600 (CST) |
root@cliff.sbt.net 206.27.198.12 |
db1-201.sbt.net 206.28.170.201 200102282357.RAA28891@cliff.sbt.net |
| 11. | 2001.02.28 15:33:00 -0500 (EST) |
tisch.mail.mindspring.net 207.69.200.157 |
pawilk-tnt3-52-24.sunlink.net 64.41.52.24 200102282033.PAA32570@tisch.mail.mindspring.net |
| 10. | 2001.02.25 14:12:08 -0500 (EST) |
mail5.lig.bellsouth.net 205.152.0.12 |
pavilion adsl-80-160-215.pns.bellsouth.net 65.80.160.215 200102251912.OAA18448@mail5.lig.bellsouth.net |
| 9. | 2001.02.24 20:26:54 -0500 (EST) |
makalu.pinn.net 198.252.201.4 |
computer (orf-max-1-11.pinn.net) 216.9.73.139 200102250126.UAA13364@makalu.pinn.net |
| 8. | 2001.02.17 22:12:38 -0800 (PST) |
asteroid.pacifier.com 199.2.117.154 |
oemcomputer (ip113.vanc6.pacifier.com) 198.145.227.113 200102180612.f1I6CbH18428@asteroid.pacifier.com |
| 7. | 2001.02.07 21:05:04 -0500 (EST) |
tor-smtp1.netcom.ca 207.181.101.69 |
9e8yv (mon-pq68-009.netcom.ca) 216.123.128.9 200102080205.VAA26665@tor-smtp1.netcom.ca |
| 6. | 2001.02.06 13:18:04 +0200 |
smtp.netc.pt 212.18.191.178 |
ng54054a (p175-40.netc.pt) 212.18.185.175 200102061317.f16DH8B02285@smtp.netc.pt |
| 5. | 2001.02.03 20:22:28 +0100 |
isd.saginaw.k12.mi.us postfix@svol.merit.edu 198.108.95.100 |
p6j6h9 (pm644-39.dialip.mich.net) 198.111.146.147 20010203192235.008143B6D@isd.saginaw.k12.mi.us |
| 4. | 2001.01.12 23:55:39 +0100 |
occmbxinet02a.infosel.com.mx 207.248.1.88 |
rafael-carrillo 148.246.55.133 3A5F7C0D0000098B@occmbxinet02a.infosel.com.mx |
| 3. | 2001.01.12 23:55:39 +0100 |
genma.prcn.org 139.142.126.15 |
palamor (ppp21.mousse.prcn.org) 139.142.126.85 200101121920.UAA01211@asser.fi.au.dk |
| 2. | 2000.12.31 17:44:38 -0800 (PST) |
harrier.prod.itd.earthlink.net 207.217.121.12 |
computer (1Cust86.tnt1.richmond.in.da.uu.net) 63.27.103.86 200101010144.RAA04994@harrier.prod.itd.earthlink.net |
| 1. | 2000.12.23 05:49:04 -0500 |
jomaja.jomaja.com 209.26.75.87 |
FordComp (host207-30-235-149.gulfcoast.net) 207.30.235.149 200012231049.FAA01211@jomaja.jomaja.com |
| W32/Hybris-B is a worm capable of updating its functionality over the internet. It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography. When run, the worm infects WSOCK32.DLL. Whenever an email is sent (though only when using Microsoft Outlook Express), the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient. Any other behaviour exhibited by the worm is entirely dependent on the set of installed components. The effects of components known to Sophos at the time of writing are described below. The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed
below. Consequently the message can have any subject, any message text and any filename for the attached file. A common component of the worm checks the language settings of the computer it has infected, and selects a message accordingly from:
Message text: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen. One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address. The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install. Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename. There is a payload component, which on the 24th of September of any year, or at 59 minutes past the hour on any day in 2001, displays a large animated spiral in the middle of the screen which is difficult to close. Additionally, this payload will run on system startup. Recovery 2. Windows 95/98/Me a) On Windows 95/98 b) On Windows Me At the DOS prompt type Say 'Yes' when prompted to delete a file (provided it is a W32/Hybris-B file). Make a note of its name. Reboot to Windows. In the win.ini file, which can be found in the Windows directory, there will be a run= line that points to the file that you deleted above. Delete the file name from that line. Good luck! |
Toke.Norby@Norbyhus.dk
Back to Toke Nørby's home page