I keep on getting this same weird email on various email account but always from the same person:

From: Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...


Attachment: dwarf4you.exe (30k) -- View Attachment


has anyone tried opening this?

Don't open it, it's a virus http://bbs.adultwebmasterinfo.com/ubb/smile.gif

macrodx,
I am not sure but it looks like one to me.
Your best bet is to install a good virus program and NEVER open shit like that.

of course its a virus.. whenever you get an e-mail from a person you dont know with an attachment its alwats a virus.. if your on aol. send it to me blake@flashmail.com ill figure out if its a pws, sub7, ect. and ill nail the guy thats sending it out http://bbs.adultwebmasterinfo.com/ubb/smile.gif

I have mcafee and all that shit, I scanned it and it didn't find anything.. I was not planning to open the file but whats weird is that I get it on all my email accounts, I wonder who wants to fuck up my pc.

netw0rks:

forgot to say I don't have AOL..

For some time I recived the snowwhite virus 2-3 times a day a while back and I know ALOT that recieved it also.

Beware!! it could be that horrible dialer virus we all heard of http://bbs.adultwebmasterinfo.com/ubb/smile.gif

sounds like a virus even if a virus program
can't find a virus it cant still be a virus
the virus programs just work from a list of
know viruses best to delete this when you get it
and maybe block the sender

it is a virus

If you run the file, it emails itself to every people in your address book..

Reply to the mail. You will get an auto response with a link to a site with all the detailed info you need about the virus and how to get it off your computer if it gets infected!

- Expo

This Must be a New one. The old one was only 23k.

A very popular virus.. I get it sometimes 4 times a week.

ok, I replied to it and I got an mail error email "undeliverable"..

<font face="Verdana, Arial" size="2">Originally posted by macrodx:
ok, I replied to it and I got an mail error email "undeliverable"..

</font>

Let me look in my old mail and see if I can find the URL of the site. The wirus is sending itself from this sites mail server. That is why these guys set up a page to let everyone know about the virus and what it does ect...

- Expo

my mom's norton antivirus recognized it as a virus weeks ago.

maybe you need to update your mcaffee?

This Is A virus.

Have you been receiving spam/virus from "hahaha@sexyfun.net"?

DO NOT OPEN THE EMAILS. THEY ARE INFECTED AND HAVE A FAKE RETURN ADDRESS!!


Disclaimer:


As a volunteer effort, we have purchased this domain in hopes of stopping the virus. If you need help tracing down where the emails came from, preventing further emails from coming to you, or cleaning your system due to infections...
Hopefully, the information on this site can help you.

This page is here to give you some information up front, before you enter the 'main' site: "This Website is an attempt to prevent the spread and stop a known Internet Virus. All information presented on this website is for educational and informative purposes ONLY! By entering this website and viewing the contents herein, you fully agree to hold it¹s owner(s),developer(s),members and affiliates harmless in every way, shape and form directly,indirectly or consequently for it¹s contents. "

This isn't a porn site, if you are looking for porn, then go somewhere else. This site is completely dedicated to helping people fight the Hybris virus. Please understand that.

Click here to proceed to the main page.

If you simply want more information on the virus, and what is going on. Here are a few antivirus write-ups from various firms.


Write Ups about the Virus
Symantec, Sophos, * F-Prot, * Kaspersky, * McAfee

* - Notable write-up
--------------------------------------------------------------------------------
If you still don't take our word for it, how about from SpamCop.net
[SpamCop-Help] How do I stop this spam

This Is A virus.

Have you been receiving spam/virus from "hahaha@sexyfun.net"?

DO NOT OPEN THE EMAILS. THEY ARE INFECTED AND HAVE A FAKE RETURN ADDRESS!!


Disclaimer:


As a volunteer effort, we have purchased this domain in hopes of stopping the virus. If you need help tracing down where the emails came from, preventing further emails from coming to you, or cleaning your system due to infections...
Hopefully, the information on this site can help you.

This page is here to give you some information up front, before you enter the 'main' site: "This Website is an attempt to prevent the spread and stop a known Internet Virus. All information presented on this website is for educational and informative purposes ONLY! By entering this website and viewing the contents herein, you fully agree to hold it¹s owner(s),developer(s),members and affiliates harmless in every way, shape and form directly,indirectly or consequently for it¹s contents. "

This isn't a porn site, if you are looking for porn, then go somewhere else. This site is completely dedicated to helping people fight the Hybris virus. Please understand that.

Click here to proceed to the main page.

If you simply want more information on the virus, and what is going on. Here are a few antivirus write-ups from various firms.


Write Ups about the Virus
Symantec, Sophos, * F-Prot, * Kaspersky, * McAfee

* - Notable write-up
--------------------------------------------------------------------------------
If you still don't take our word for it, how about from SpamCop.net
[SpamCop-Help] How do I stop this spam

This Is A virus.
| Please read this whole email as it contains information that can
| be used to protect your computer from a Virus that is spreading
| around the internet.
|
|NOTA BENE: This message is automatically generated; PLEASE DO NOT REPLY.
| Subsequent email with the same reply-to address should not
| induce additional responses from this service.
+---------

/....

[Translate, Traduisent, Ubersetzen, Traducono, Traduzem, Traducen]

(Translations were done by kind visitors to our site)

Portuguese: www.sexyfun.net/letters/auto/portuguese.html (http://www.sexyfun.net/letters/auto/portuguese.html)
Spanish: www.sexyfun.net/letters/auto/spanish.txt (http://www.sexyfun.net/letters/auto/spanish.txt)
French: www.sexyfun.net/letters/auto/french.html (http://www.sexyfun.net/letters/auto/french.html)
Finnish: www.sexyfun.net/letters/auto/finnish.txt (http://www.sexyfun.net/letters/auto/finnish.txt)

..../


+-------------------
| Please read this e-mail in its entirety as it contains information
| that you can use to protect your computer from a Virus spreading
| around the Internet.
|
| NOTE: This message is automatically generated; PLEASE DO NOT REPLY.
| Subsequent e-mail with the same reply-to address should not
| induce additional responses from this service.
+-------------------

Hello,

You are receiving this message because an e-mail, which contained
your e-mail address as the return/reply-to address, was sent to
hahaha@sexyfun.net. Possible reasons you received this message are
as follows:

1) You sent an e-mail to hahaha@sexyfun.net to complain to or notify
this user about their SPAMMING, sending an e-mail with a virus,
sending an e-mail that has content that may not be appropriate for
minors and/or to remove yourself from a mailing list, etc.

2) Someone else sent an e-mail to hahaha@sexyfun.net and they are using
your e-mail address as their return/reply-to address. If this is the
case, we are sorry that this e-mail was sent to you. However, please
read it, as it contains information about the Virus we are trying to
stop from spreading across the Internet.

3) Your anti-virus software sent an e-mail back to hahaha@sexyfun.net to
inform them that the e-mail they sent contained a virus. Most
of the time, this e-mail is sent without your knowledge by the
anti-virus software itself.

4) Someone has subscribed the e-mail address hahaha@sexyfun.net to a mailing
list to which you are also subscribed. The program that sends this
message out tries to make sure that it is not responding to any e-mails
that it receives from a list server by checking the full e-mail headers
for list information. Some lists do not provide any keys in their full
e-mail headers that we can use to keep the our program from responding.
If you think this is the case, please contact your list admin and have
them remove hahaha@sexyfun.net from their member list.


This SPAM, containing “Snowwhite” in the Subject, is a Virus called
Hybris.gen. It sends out e-mail from your e-mail program with
attachments also infected with the virus, in an attempt to infect more
computers. This virus scans incoming and outgoing mail and http traffic
for e-mail addresses to send a copy of itself to. The e-mail the virus sends
out use a fake or spoofed "FROM:" address of hahaha@sexyfun.net to hide its tracks.

We registered the domain http://www.sexyfun.net to provide you,
the Internet user, with information about this Virus, tips on how to
detect, clean and trace it, and how to protect your computer from it in
the future.

Here are some other facts that may answer questions you may already have:

1) We do NOT maintain any mailing lists on our system.
2) This user (hahaha) does NOT exist on our system.
3) The e-mail you got with the From: field of hahaha@sexyfun.net did NOT
come from sexyfun.net or the web hosting company’s network. This
e-mail address was FAKED or SPOOFED.
4) The e-mail you got is a way for the Hybris.gen Virus to spread
itself around the Internet just like the ILOVEYOU Virus that surfaced
a year ago.
5) The "Received:" line of the FULL e-mail header will tell you the IP or
Computer name of the person(s) that sent you the Virus. Most likely,
it came from someone you know who is unaware that his or her computer
is infected with the virus.
6) By visiting the domain http://www.sexyfun.net, you will find helpful
information about the Hybris.gen Virus and links to software you
can use to clean your computer if you are infected, as well as other
miscellaneous information.
7) We did NOT create the virus nor do we know the person(s) who created the
virus. We are NOT affiliated with this person or persons. The same
applies to our web hosting company.

NOTE: As long as you don't run/open/double click on the attachment
of the e-mail, this virus should not be able to infect you just by
reading the e-mail.

Here are links to well known companies of anti-virus products that
will show that what has been said above is true:

http://www.f-secure.com/v-descs/hybris.shtml
http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=134&page=0

This is the link to the website we have set up to provide additional
information about the Virus:

http://www.sexyfun.net/ (this is not a adult site of any type)

If have any questions about this, our contact information is located on
our web site (http://www.sexyfun.net/)

Thank you for your time.

-----
NOTE: Any replies sent to this e-mail are not viewed by us. Please use
the contact information located on our web site. Thank you.

| Please read this whole email as it contains information that can
| be used to protect your computer from a Virus that is spreading
| around the internet.
|
|NOTA BENE: This message is automatically generated; PLEASE DO NOT REPLY.
| Subsequent email with the same reply-to address should not
| induce additional responses from this service.
+---------

/....

[Translate, Traduisent, Ubersetzen, Traducono, Traduzem, Traducen]

(Translations were done by kind visitors to our site)

Portuguese: www.sexyfun.net/letters/auto/portuguese.html (http://www.sexyfun.net/letters/auto/portuguese.html)
Spanish: www.sexyfun.net/letters/auto/spanish.txt (http://www.sexyfun.net/letters/auto/spanish.txt)
French: www.sexyfun.net/letters/auto/french.html (http://www.sexyfun.net/letters/auto/french.html)
Finnish: www.sexyfun.net/letters/auto/finnish.txt (http://www.sexyfun.net/letters/auto/finnish.txt)

..../


+-------------------
| Please read this e-mail in its entirety as it contains information
| that you can use to protect your computer from a Virus spreading
| around the Internet.
|
| NOTE: This message is automatically generated; PLEASE DO NOT REPLY.
| Subsequent e-mail with the same reply-to address should not
| induce additional responses from this service.
+-------------------

Hello,

You are receiving this message because an e-mail, which contained
your e-mail address as the return/reply-to address, was sent to
hahaha@sexyfun.net. Possible reasons you received this message are
as follows:

1) You sent an e-mail to hahaha@sexyfun.net to complain to or notify
this user about their SPAMMING, sending an e-mail with a virus,
sending an e-mail that has content that may not be appropriate for
minors and/or to remove yourself from a mailing list, etc.

2) Someone else sent an e-mail to hahaha@sexyfun.net and they are using
your e-mail address as their return/reply-to address. If this is the
case, we are sorry that this e-mail was sent to you. However, please
read it, as it contains information about the Virus we are trying to
stop from spreading across the Internet.

3) Your anti-virus software sent an e-mail back to hahaha@sexyfun.net to
inform them that the e-mail they sent contained a virus. Most
of the time, this e-mail is sent without your knowledge by the
anti-virus software itself.

4) Someone has subscribed the e-mail address hahaha@sexyfun.net to a mailing
list to which you are also subscribed. The program that sends this
message out tries to make sure that it is not responding to any e-mails
that it receives from a list server by checking the full e-mail headers
for list information. Some lists do not provide any keys in their full
e-mail headers that we can use to keep the our program from responding.
If you think this is the case, please contact your list admin and have
them remove hahaha@sexyfun.net from their member list.


This SPAM, containing “Snowwhite” in the Subject, is a Virus called
Hybris.gen. It sends out e-mail from your e-mail program with
attachments also infected with the virus, in an attempt to infect more
computers. This virus scans incoming and outgoing mail and http traffic
for e-mail addresses to send a copy of itself to. The e-mail the virus sends
out use a fake or spoofed "FROM:" address of hahaha@sexyfun.net to hide its tracks.

We registered the domain http://www.sexyfun.net to provide you,
the Internet user, with information about this Virus, tips on how to
detect, clean and trace it, and how to protect your computer from it in
the future.

Here are some other facts that may answer questions you may already have:

1) We do NOT maintain any mailing lists on our system.
2) This user (hahaha) does NOT exist on our system.
3) The e-mail you got with the From: field of hahaha@sexyfun.net did NOT
come from sexyfun.net or the web hosting company’s network. This
e-mail address was FAKED or SPOOFED.
4) The e-mail you got is a way for the Hybris.gen Virus to spread
itself around the Internet just like the ILOVEYOU Virus that surfaced
a year ago.
5) The "Received:" line of the FULL e-mail header will tell you the IP or
Computer name of the person(s) that sent you the Virus. Most likely,
it came from someone you know who is unaware that his or her computer
is infected with the virus.
6) By visiting the domain http://www.sexyfun.net, you will find helpful
information about the Hybris.gen Virus and links to software you
can use to clean your computer if you are infected, as well as other
miscellaneous information.
7) We did NOT create the virus nor do we know the person(s) who created the
virus. We are NOT affiliated with this person or persons. The same
applies to our web hosting company.

NOTE: As long as you don't run/open/double click on the attachment
of the e-mail, this virus should not be able to infect you just by
reading the e-mail.

Here are links to well known companies of anti-virus products that
will show that what has been said above is true:

http://www.f-secure.com/v-descs/hybris.shtml
http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=134&page=0

This is the link to the website we have set up to provide additional
information about the Virus:

http://www.sexyfun.net/ (this is not a adult site of any type)

If have any questions about this, our contact information is located on
our web site (http://www.sexyfun.net/)

Thank you for your time.

-----
NOTE: Any replies sent to this e-mail are not viewed by us. Please use
the contact information located on our web site. Thank you.

SpamCop-Help] How do I stop this spam
michael lefevre spamcop-help
Fri, 15 Dec 2000 17:28:57 -0000

Previous message: [SpamCop-Help] How do I stop this spam
Next message: [SpamCop-Help] How do I stop this spam
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------------------------------------------

Craig,

the hahaha does not exist and is not the source of the
emails...

this is not spam, it is the virus itself which is sending your copies of
itself... when a computer is infected with the virus, the virus harvests
email addresses sent and received over the computer's internet
connection, and then emails itself out to those addresses...

whoever sent you these emails is infected with the virus, and is almost
certainly unaware that they are sending them out...

if you can identify the source of these emails, you could warn them that
they are infected, but it is probably best just to ignore them -
obviously you are protected from infection by your virus scanner...

michael
spamcop user

[posted and emailed]

&lt;craig&gt; wrote in message
news:mailman.976900686.23271.spamcop-help
To SpamCop:
The Below message is from Our mail server catching Virsus, This Company
at hahaha is sending our customers spam with Virsus.

Thank You,
Craig Timmermans

The attachments that came with the following mail had
Viruses in it.

Status from AntiVirus Engine:
Since the virus could not be removed,
the virus-infected attachments have been
quarantined (stored as .ATT files in the
quarantine directory).


================================================== ========
The Mail came from : hahaha
The Mail recipient : spclark
Subject of the Mail : Snowhite and the Seven Dwarfs - The REAL story!

The Mail had following attachments:
Attachment: joke.exe had I-Worm.Hybris.b Virus, the file was Deleted.
================================================== ========

--------------------------------------------------------------------------------


Previous message: [SpamCop-Help] How do I stop this spam
Next message: [SpamCop-Help] How do I stop this spam
Messages sorted by: [ date ] [ thread ] [ subject ] [ author

I guess it's all clear now, is virus..
according to the f-secure site
"The worm works under Win32 systems only",
It means it wouldn't affect WinME? or XP?

or is Win32 a component of the standard operating system?

Dont worry about it. A computer virus is like a human virus. If you become infected, it will only make you stronger.

It would be best to just open the virus and let it into your computer. It's the healthy thing to do.

Anyways...arent you guys curious in the least about the 7 dwarves?

I guess it could be a nice experience, I never opened an infected file before
http://bbs.adultwebmasterinfo.com/ubb/smile.gif

Hahaha
I got that email like 6 months ago...

I get this mail every second day...but never tried to open it!!!

hey I just got it again in 2 different email accounts =)

I personally wouldn't open a .exe from anyone unknown and in some occurrences even from friends without confirming they actually sent it. It's not worth the risk getting infected especially since all us webmasters store sensitive information on our computers. Website FTP/Telnet Password, Server Passwords, E-mails, Confidential Documents etc. No one is really ever 100% safe on the Internet but something I would do is install the following -:

1. ZoneAlarm - I personally love this program and bought the Pro version it's great but there is a FREE version, which is also good.

2. I'm using Pc-Cillin it's a great program every so often it automatically asks me if I want to download the latest virus information and automatically install it. But there are plenty of great virus scanners out there. Best if one has a real-time scan and self-updating feature.

Hope this has helped.

P.s try download.com for finding some of these programs.

And be aware some emails have applets in the sig that will infect your machine. If you're asked whether you want to allow an applet to run, in those famous words "just say no". http://bbs.adultwebmasterinfo.com/ubb/wink.gif

Hey I had something similar happen to me in past but with ActiveX while using outlook express.. I choose "NO" of course =)

Virus Characteristics:
This worm will be received in an email message which may contain the following information:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe

When first executed, this worm tries to infect the WSOCK32.DLL file in the WINDOWS\SYSTEM directory. First it tries to infect the WSOCK32.DLL file directly. If it fails because the file is already in use, then it creates an infected copy on the WSOCK32.DLL in a new file. This new file goes by an extensionless filename made up of 8 random characters. A line is then created in the WININIT.INI file to rename this newly created file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system is booted. A registry value under Software\Microsoft\Windows\CurrentVersion\RunOnce\ (default) is also created to run the worm at the next bootup, in case the previous attempts to infect WSOCK32.DLL fail.

The modified WSOCK32.DLL file watches all Internet activity and attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to any valid e-mail address sent over the Internet connection, whether part of a e-mail message, web page, or newsgroup posting. AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.

This Internet worm originally downloaded encrypted update components from an Internet web site, similar to the method first used by W95/Babylonia, but the site hosting the virus was taken down. The original plugins were:

HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT

Currently this virus downloads plugins from alt.comp.virus. The virus contains an internal list of several news servers it can access. It searches the newsgroup for any plugins that it doesn't have, or has older versions of. Since the worm searches all Internet activity for e-mail addresses, people who post to alt.comp.virus using their real e-mail address may get many copies of the worm when Hybris searches alt.comp.virus for new plugins.
When a full moon occurs according to the computer's internal clock, the virus will randomly post its plugins to the alt.comp.virus newsgroup. It uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins with a fake return address of root@microsoft.com.

This Internet worm contains the text:

HYBRIS
(c) Vecna

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Indications Of Infection:
Mail recipients claiming they received an attachment from you when one was never sent. Depending on plugins installed, spiral graphic on the screen, inability to access antivirus sites.

Method Of Infection:
The format of the newsgroup-posted message is as follows:

anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters]
Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46

KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****

The plugins are saved to the WINDOWS\SYSTEM directory with a random name consisting of a name consisting of eight random letters and an extension consisting of three random letters. The plugins are signed using public-key cryptography. That means that all the copies of the worm carry a public key which will only accept plugins digitally signed by the private key. Only the virus author has the private key so only plugins that he approves will be accepted by the virus. Some of the current plugins are:
@@@@ or SPIRALE - This creates a file which displays a graphic of a "spiral" that cannot be closed or stopped. The file has a name consisting of eight random letters, and is loaded using the run= line of the [windows] section of win.ini. This spiral graphic is launched by this Internet worm on September 24th, or when the number of minutes are equal to 59 in the year 2001.
I_RZ - Adds a copy of the worm to ZIP and RAR archives containing EXE files. The original EXE file is renamed to an EX$ extension, and a copy of the virus takes the place of the original EXE file.
AVIP or AVINET.DAT - Blocks the infected computer from visiting certain antivirus websites by IP address, similiar to the W95/MTX virus.
SUB7 - Searches for computers infected with the BackDoor-G trojan, and copies and executes itself on infected machines.
ENCR or POLY - Encrypts the virus with a polymorphic routine. Note that in spite of the polymorphic routine, VirusScan detects all of the permutations of the virus when using updated engine and DAT files.
TEXT or PR0N - This creates the message that the virus is sent with, depending on the language installed on the infected system:
English:

From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs
always where very educated and polite with Snowhite.
When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the
door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr
or dwarf4you.exe

French:
From: Hahaha [hahaha@sexyfun.net]
Subject: Les 7 coquir nains *or* Blanche neige et ...les
sexe nains
Body: C'etait un jour avant son dix huitieme
anniversaire. Les 7 nains, qui avaient aidé 'blanche
neige' toutes ces années après qu'elle se soit enfuit de
chez sa belle mère, lui avaient promis une *grosse*
surprise. A 5 heures comme toujours, ils sont rentrés du
travail. Mais cette fois ils avaient un air coquin...
Attachment: blancheneige.exe or sexynain.scr or
blanche.scr or nains.exe

Spanish:
From: Hahaha [hahaha@sexyfun.net]
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18
años. Blanca de Nieve fuera siempre muy bien cuidada por
los enanitos. Ellos le prometieron una *grande* sorpresa
para su fiesta de compleaños. Al entardecer, llegaron.
Tenian un brillo incomun en los ojos...
Attachment: enano.exe or enano porno.exe or blanca de
nieve.scr or enanito fisgon.exe

Portuguese:
From: Hahaha [hahaha@sexyfun.net]
Subject: Branca de Neve pornô!
Body: Faltava apenas um dia para o seu aniversario de
18 anos. Branca de Neve estava muito feliz e ansiosa,
porque os 7 anões prometeram uma *grande* surpresa.
As cinco horas, os anõezinhos voltaram do trabalho.
Mas algo nao estava bem... Os sete anõezinhos tinham
um estranho brilho no olhar...
Attachment: branca de neve.scr or atchim.exe or
dunga.scr or anão pornô.scr


A later version of the plugin creates e-mails by choosing random words from "Anna" "Raquel Darian" "Xena" "Xuxa" "Suzete" "famous" "celebrity rape" "leather" and "sex" "sexy" "hot" "hottest" "cum" "cumshot" "horny "anal" "gay" "oral" , etc.
Note that the infected e-mails do not actually come from the sexyfun.net domain, they are sent unknowingly with a fake return address by infected users.

If Hybris does not have a plugin capable of generating message text, it will send a message with no subject or sender and a copy of itself with a name consisting of eight random letters.

DOSEXE.DAT or EXEI- Infects DOS EXE files to contain a virus dropper. These files can be repaired by VirusScan as W32/Hybris.exe.
I_PE - Infects PE files without increasing their size. It also adds data so that some checksumming algorithms will generate the same checksum before and after infection. These files cannot be repaired.
HTTP - This downloaded plugins from a website before it was shut down.
NEWS - This plugin posts plugins and downloads new ones from alt.comp.virus as described above.
Because plugins can change the virus behaviour so quickly, infected users are urged to use the latest engine and DAT files, and to set their antivirus software to scan all files. VirusScan will repair the infected wsock32.dll as W32/Hybris.gen.dll@M, but we recommend users restore it from the original disks to be certain.
Removal Instructions:
Use specified engine and DAT files for detection and removal.

Windows 95/98 systems require rebooting to MS-DOS mode and scanning with the command line scanner SCANPM in order to clean such files as EXPLORER.EXE and TASKMON.EXE. Use the command line scanner such as
"SCANPM.EXE C: /CLEAN /ALL"

The WSOCK32.DLL file can be restored from backup. This can be done by:

Windows ME:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

Use SFC to recover WSOCK32.DLL using instructions below for Windows 98/2000.

Windows 98/2000
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts

Wsock32.dll file exists within the Precopy1.cab cabinet file on the Windows 98 CD-ROM.

Windows95
WSOCK32.DLL can be found in the following CAB files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks

Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D: is your CD-ROM drive

WindowsNT 4.0
Rename the Wsock32.dll file in the Windows\System32 folder to Wsock32.old.

For information about how to rename a file, click Start, click Help, click the Index tab, type renaming, and then double-click the ''Renaming files'' topic.

Click Start, point to Programs, and then click Command Prompt.

Type cd\, and then press ENTER.

Insert the Windows NT CD-ROM into the CD-ROM drive, and then close the Windows NT screen if it appears.

Type the following line at the command prompt, and then press ENTER.


expand &lt;drive&gt;:\i386\wsock32.dl_ c:\&lt;windows&gt;\system32\wsock32.dll

where &lt;drive&gt; is the drive letter assigned to your CD-ROM drive,
and where &lt;windows&gt; is the name of the folder in which
Windows NT is installed.
Type exit, and then press ENTER to return to windows.

Virus Information:

Discovery Date: 10/16/00
Origin: South America
Length: 25,088 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium


Aliases
dwarf4you.exe, Hybris, I-Worm.Hybris , I-Worm.Hybris.b, Snowhite and the Seven Dwarfs, TROJ_HYBRIS.A, W32/Hybris.gen.dll@M, W32/Hybris.plugin@M, W95.Hybris.Gen.dr, W95/Hybris.worm, Win98.Vecna.23040

I have bad gas.

I used to get that shit 2-3 times a day ! in the last few weeks it stoped somehow to come