Virus?

[Gjest Vær forsiktig!]

Hei

I går, 01.03.01, fikk jeg en e-mail. Det var hverken avsender, emne, eller tekst i den. Det var derimot et vedlegg. Jeg ble livredd (tenkte det kunne være et virus) og slettet den med en gang (har den i "slettede meldinger).

Jeg kjørte en virusskjekk på maskinen, men den fant ingenting.

Jeg lurer på om dette kan være et virus? Venninna mi fikk akkurat lik, og hun slettet den med en gang hun og.

Har sendt mail til brukerstøtten, men jeg har ikke fått svar ennå.

Har noen her fått det samme?

[ArneAnd]

Har fått det jeg også, og sletta det med en gang.

[ruby]

Har fått flere av samme typen, og de blir øyeblikkelig slettet - uåpnet.

[Gjest Vær forsiktig!]

Har fått det jeg også, og sletta det med en gang.

OK. Slette med en gang, no questions asked?

Tusen takk. Lurer på hva det er...

[conan]

OK. Slette med en gang, no questions asked?

Tusen takk. Lurer på hva det er...

Det er viruset "W95.Hybris.worm".

[Gjest webmaster]

Dette er virus, jeg mottar flere av disse hver eneste dag. Vil med dette benytte anledningen til å minne om følgende: En god regel er å oppdatere antivirusprogrammet jevnlig og aldri åpne mailvedlegg som man ikke aner hva er.

Vennlig hilsen

[jacob]

Som alle andre har jeg også fått et slikt forpestet vedlegg. I motsetning til dere oppegående - åpnet jeg faenskapet. Helvete!

[Gjest Vær forsiktig!]

Det er viruset "W95.Hybris.worm".

Tusen takk for informasjonen. Har nå sendt en advarsel til alle i adresseboka mi. Råder dere til å gjøre det samme, slik at vi kan minske virusfarer.

Mvh

[toci]

Som alle andre har jeg også fått et slikt forpestet vedlegg. I motsetning til dere oppegående - åpnet jeg faenskapet. Helvete!

Er det det der som bare infiserer tekstfilene?

[Gjest Vær forsiktig!]

Er det det der som bare infiserer tekstfilene?

Hei igjen. Driver og søker på W95.Hybris.worm på Yahoo, så det kommer litt info her.

W95.Hybris.gen

Discovered on: September 25, 2000

Last Updated on: December 12, 2000 2:53:52 PM PST

December 7, 2000:

Due to a recent increase in world-wide infections of this worm, SARC is increasing the threat level of this worm to 4.

W95.Hybris is a worm that spreads by email as an attachment to outgoing emails. It was discovered in late September of 2000. Although minimum reports of infection were reported in October 2000, the worm started to become common in early Nov 2000.

The message may include the text "Snow White and the Seven dwarves" and the attachment may have one of several different names, including, but not limited to:

anpo porn(.scr

atchim.exe

branca de neve.scr

dunga.scr

dwarf4you.exe

enano porno.exe

joke.exe

midgets.scr

sexy virgin.scr

Also known as: W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M, I-Worm.Hybris

Category: Worm

Virus definitions: September 25, 2000

Threat assessment:

Wild:

Medium Damage:

Low Distribution:

High

Wild

Number of infections: 50-999

Number of sites: More than 10

Geographical distribution: Medium

Threat containment: Moderate

Removal: Moderate

Distribution

Name of attachment: Random with EXE or SCR file name extension

Technical description:

When the worm attachment is executed, the WSOCK32.DLL file will be modified. This will give the worm the ability to attach itself to all outbound email. The email attachment will have a random name but the filename extension is either EXE or SCR).

The worm attempts to connect to the newsgroup alt.comp.virus. After it connects successfully, the worm uploads its own plug-ins in an encrypted form to this newsgroup. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if these plug-ins are indeed present. If a newer version of plug-ins is found, the worm downloads these modules and updates its behavior. For example, there are known modules that give the worm ability to infect compressed files like ZIP.

If WSOCK32.DLL is being used by the system, the worm will be unable to modify this file. Thus, in this situation, the worm will add a registry key to one of the following subtrees:

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\

Windows\CurrentVersion\RunOnce

It will always alternate between these two trees mentioned above as the worm spreads from one machine to another. The worm hooks on the following exports on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email to a person, the worm will also send out another email to the same person attaching a copy of itself using a randomly generated filename.

Removal:

Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files detected as W95.Hybris contain only the virus body and must be deleted.

[Gjest Vær forsiktig!]

Hei igjen. Driver og søker på W95.Hybris.worm på Yahoo, så det kommer litt info her.

W95.Hybris.gen

Discovered on: September 25, 2000

Last Updated on: December 12, 2000 2:53:52 PM PST

December 7, 2000:

Due to a recent increase in world-wide infections of this worm, SARC is increasing the threat level of this worm to 4.

W95.Hybris is a worm that spreads by email as an attachment to outgoing emails. It was discovered in late September of 2000. Although minimum reports of infection were reported in October 2000, the worm started to become common in early Nov 2000.

The message may include the text "Snow White and the Seven dwarves" and the attachment may have one of several different names, including, but not limited to:

anpo porn(.scr

atchim.exe

branca de neve.scr

dunga.scr

dwarf4you.exe

enano porno.exe

joke.exe

midgets.scr

sexy virgin.scr

Also known as: W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M, I-Worm.Hybris

Category: Worm

Virus definitions: September 25, 2000

Threat assessment:

Wild:

Medium Damage:

Low Distribution:

High

Wild

Number of infections: 50-999

Number of sites: More than 10

Geographical distribution: Medium

Threat containment: Moderate

Removal: Moderate

Distribution

Name of attachment: Random with EXE or SCR file name extension

Technical description:

When the worm attachment is executed, the WSOCK32.DLL file will be modified. This will give the worm the ability to attach itself to all outbound email. The email attachment will have a random name but the filename extension is either EXE or SCR).

The worm attempts to connect to the newsgroup alt.comp.virus. After it connects successfully, the worm uploads its own plug-ins in an encrypted form to this newsgroup. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if these plug-ins are indeed present. If a newer version of plug-ins is found, the worm downloads these modules and updates its behavior. For example, there are known modules that give the worm ability to infect compressed files like ZIP.

If WSOCK32.DLL is being used by the system, the worm will be unable to modify this file. Thus, in this situation, the worm will add a registry key to one of the following subtrees:

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\

Windows\CurrentVersion\RunOnce

It will always alternate between these two trees mentioned above as the worm spreads from one machine to another. The worm hooks on the following exports on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email to a person, the worm will also send out another email to the same person attaching a copy of itself using a randomly generated filename.

Removal:

Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files detected as W95.Hybris contain only the virus body and must be deleted.

Enda litt mer info;)

Virus (worm) Alert!

A number of users have reported receiving email from [email protected] along with an attachment. This is, in fact, the W95.Hybris worm. Do NOT open the attachment!. It is advised to exercise extreme caution when executable attachments arrive in your inbox, no matter where they come from and how 'trustworthy' a message looks. Installing an up to date virus scanner is also recommended, regardless if you are infected or not. Please visit Norton, McAfee to purchase a virus scanner for your computer. If you do already have a virus scanner installed, we recommend for you to update the virus definition files for your scanner. Please refer to your virus scanner manufacturer for details.

General Description:

W95.Hybris is a worm that spreads by email as an attachment to outgoing emails. It was discovered in late September of 2000, and it's infection level has recently been upgraded to Level 4 (very high) The message may include the text "Snow White and the Seven dwarves" and the attachment may have one of several different names, including, but not limited to:

anpo porn(.scr

atchim.exe

branca de neve.scr

dunga.scr

dwarf4you.exe

enano porno.exe

joke.exe

midgets.scr

sexy virgin.scr

The worm can also send itself with a random, 8-letter name, for example FKSJERHV.EXE.

Technical Description:

When the worm attachment is executed, the WSOCK32.DLL file will be modified. This will give the worm the ability to attach itself to all outbound email. The email attachment will have a random name but the filename extension is either EXE or SCR).

The worm attempts to connect to the newsgroup alt.comp.virus. After it connects successfully, the worm uploads its own plug-ins in an encrypted form to this newsgroup. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if these plug-ins are indeed present. If a newer version of plug-ins is found, the worm downloads these modules and updates its behavior. For example, there are known modules that give the worm ability to infect compressed files like ZIP.

If WSOCK32.DLL is being used by the system, the worm will be unable to modify this file. Thus, in this situation, the worm will add a registry key to one of the following subtrees:

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\

Windows\CurrentVersion\RunOnce

It will always alternate between these two trees mentioned above as the worm spreads from one machine to another. The worm hooks on the following exports on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email to a person, the worm will also send out another email to the same person attaching a copy of itself using a randomly generated filename.

Removal:

If you suspect you may be infected, Norton Antivirus has a free tool to detect and remove the W95.Hybris worm. You can download it here. If you have an up to date virus scanner installed on your system, you can do a full system scan.

Related sites:

SexyFun.net (W95.Hybris removal help - NOT the worm creator)

Hybris write up from Symantic

Hybris write up from Sophos

Hybris write up from F-Secure

Hybris write up from Kyperski Labs

Notes:

Virus removal is not a USOL.com supported service. Our technicians are not trained in virus removal, and will not be able to help you remove a virus over the telephone. If you suspect that you may be infected with a worm or virus, we strongly recommend that you install an up to date virus scanner and/or seek out a professional computer repair technician or repair shop for assistance.

[Anki]

Jeg har fått mange av dem i det siste. Jeg åpner de aldri, bare sletter de med en gang.

[Pulso]

Dette er virus, jeg mottar flere av disse hver eneste dag. Vil med dette benytte anledningen til å minne om følgende: En god regel er å oppdatere antivirusprogrammet jevnlig og aldri åpne mailvedlegg som man ikke aner hva er.

Vennlig hilsen

Jeg lurer litt på hvordan man lar vær å åpne en melding jeg. For når jeg høyreklikker på meldingen for å slette den, åpner den seg automatisk. Hvordan kan man da slette den uten å åpne den??

[SoriaMoria]

Jeg lurer litt på hvordan man lar vær å åpne en melding jeg. For når jeg høyreklikker på meldingen for å slette den, åpner den seg automatisk. Hvordan kan man da slette den uten å åpne den??

Du har sikkert aktivisert forhåndsvisning/ preview. Gå inn i options eller en annen passende "instillingsmeny" (husker ikke akkurat hvor det er) og deaktiver denne funksjonen. :-)

mvh

[Lenemor]

Heisann.Jeg fikk samme mail i dag,har du funnet ut noe?

Mvh