Date: Mon, 5 Feb 2001 13:58:58 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Hybris Worm Still Spreading ---------------------------------------- VIRUS ALERT: HYBRIS WORM STILL SPREADING ---------------------------------------- No matter how often Internet users are cautioned not to open or run unexpected e-mail file attachments, apparently many people just can't resist temptation when something tantalizing hits the Inbox. To put it bluntly, it is a VERY stupid thing to do! That is how most viruses and worms are spread from computer to computer. An example that has been causing an increasing amount of trouble is the "Hybris Worm", also known by many other names all containing the word "Hybris". Hybris was first detected five months ago, so by the normal standards of virus lifespans it should have faded out by now. Instead, it continues to spread. Hybris affects only PCs running Windows 95 or newer versions of the Windows operating system. It does not affect computers running Macintosh OS, UNIX, or Windows 3.1. Hybris arrives in an e-mail message that usually has the following characteristics: > From: Hahaha > Subject: Snowhite and the Seven Dwarfs - The REAL story! > Message text: > Today, Snowhite was turning 18. The 7 Dwarfs always where very > educated and polite with Snowhite. When they go out work at > mornign, they promissed a *huge* surprise. Snowhite was anxious. > Suddlently, the door open, and the Seven Dwarfs enter... The message includes an executable file attachment which, when run on a PC, infects the PC with Hybris. The file attachment may have any of a number of different names, but they all carry the infection. Once the PC is infected, Hybris watches the incoming and outgoing data stream for e-mail addresses. This can occur when you are sending or receiving e-mail, when you are Web browsing, or in any other circumstance where the data being processed by your computer contains an e-mail address. When Hybris detects an address, it mails the message and attachment described above to that address. This occurs without the knowledge of the owner of the infected PC. Because the message is sent with a bogus address on the "From:" line, the recipient is usually unable to determine where it really came from. See any of the following URLs for a more complete description of Hybris: http://www.europe.f-secure.com/v-descs/hybris.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=98873& http://service1.symantec.com/sarc/sarc.nsf/html/W95.Hybris.gen.html Hybris seems to be a growing problem among BCPL.NET customers. Every time I send out a BCPL.NET News message I get back a flood of "Snowhite and the Seven Dwarfs..." messages, and each time the flood is bigger than the time before. Apparently there are a bunch of you out there in BCPL.NET land whose PCs are infected by Hybris. Every time an infected PC receives a BCPL.NET News message from ispadmin@bcpl.net, Hybris detects that address and sends a copy of the "Snowhhite..." message to it. Protecting against viruses transmitted by e-mail is 99% common sense. Be very wary of any message containing a file attachment. If you are not expecting the attachment, or if it is from someone you don't know, delete it. Do not open it! If your mail program has an option to open file attachments automatically, make sure that option is turned off. If You don't have an anti-virus program on your PC, we recommend strongly that you install one. This is very important for any Internet-connected computer. If you already have anti-virus software on your PC, make sure its "virus description database" is up to date. The virus description database is what tells the anti-virus program what to look for when it scans for viruses, and how to eradicate any that it finds. New PC viruses are discovered "in the wild" almost every day, so anti-virus software publishers periodically issue updated versions of their databases. Most anti-virus programs have a built-in "update" function of some kind. Use it! Your anti-virus program cannot guard against recent viruses if it is using an outdated virus description database! If you don't know how to make your anti-virus program do an update, see the manual, or go to the publisher's Web site, or contact the publisher's Help Desk for assistance. Chip -- BCPL.NET INTERNET SERVICES CONTACTS: ----------------------------------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091