posted on February 24, 2001 08:04:53 PM
I'm getting this via email about 3 or 4 times daily now. And I know that very likely, these are coming from bidders or potential bidders on my auctions.
This thing has apparently overrun the online auction community. And the folks who are sending it don't know they've got it, and there is generally no easy way for recipients to let the real sender know that they've got the virus (the return email address is spoofed).
I hope everyone sets their virus software to run in the background, checking all incoming files. Update the virus definitions every week or so. And don't open attachments from untrusted sources.
Judging by the frequency I'm getting this, and the difficulty in letting the sender know he's got it, I'm guessing this will get worse before it gets better.
Also- if you're not getting responses from several of the folks you've contacted-- maybe you've got it!
posted on February 24, 2001 08:10:42 PM
Do you have to open attachments to get this virus? How do I know I have it? I have McAfee Virus scanner that I am not even sure works.
posted on February 24, 2001 08:24:10 PM
Yeah- on this one you only get it if you open the attachment. It's a worm, apparently, not a virus (small consolation to folks who have it, I guess). Non-destructive payload, but can be modified to carry a destructive payload.
posted on February 24, 2001 09:02:18 PM
I get this one at least three or four times a week. There's another new one out that keeps re-sending itself and I've gotten it several times. I can't remember the heading but the attachment that has the virus just says, "Check this Out." Thankfully, I didn't.
posted on February 24, 2001 11:13:27 PM
There's a fairly simple way to stop receiving this virus when it comes into your mail box. If you are using Outlook Express 5 or higher you can highlight the email (without opening it) and then click on the MESSAGE tab at the top of your toolbar and choose BLOCK SENDER. You will be asked if you want to delete all messages from this sender and you should choose YES.
The other way to do it is to make up a rule to block the sender by selecting TOOLS, MESSAGE RULES, MAIL and click NEW. Then for #1 put a check mark next to WHERE THE FROM LINE CONTAINS PEOPLE and for #2 put a check mark next to DELETE. Finally, for #3 enter the following text below the "Apply this rule after the message arrives"
WHERE THE FROM LINE CONTAINS '[email protected]'
DELETE IT FROM SERVER I'm using caps in order to highlight the important text elements but you can use lower case letters.
You can name #4 VIRUS
BTW, this works for OE5.5 but the process of setting up mail rules in an earlier version of OE might be different.
I have read a number of sources that say this method of blocking the Snow White virus works but I've never received the virus so I can't say for certain.
The '[email protected]' address is always in the FROM line of the email even though we know it didn't originate from there so I think a message rule that blocks the FROM address should work. Here is a good source for viewing the headers in most email clients if you want to find out who actually sent you the email:
http://www.sexyfun.net/headers.html
posted on February 24, 2001 11:43:52 PM
Hello Blanche
Thanks for the helpful information. We have 3 computers but this virus is only coming into one. Norton 2001 warns me each time though.
I thought I had set up the OE5.5 to block it but it doesn't seem to be working so I will do it again following your directions and see if I have made an error.
I do know that the virus comes in with the spelling "Snowhite" instead of "Snow White". I will check out the link that you have given. Thanks again.
posted on February 25, 2001 08:36:40 AM
BHearsch, your recommendation for blocking the e-mail is a good one, but most of the viruses you'll ever encounter have been unknowingly passed on by your friends and business associates. Sad but true.
The only solution is to run virus protection software in the background, and DON'T open any attachments (especially .exe and multimedia files) without doing virus checks on them first, even if they're from friendly folk.
[ edited by lswanson on Feb 25, 2001 08:41 AM because I have at least 3 thumbs on each hand this morning ]
[ edited by lswanson on Feb 25, 2001 08:43 AM ]
posted on February 25, 2001 10:20:27 AM
Hello lswanson. Yes, the best thing you can do is to be sure your anti-virus software is set to scan your emails AND that it's constantly updated. However, that alone doesn't always insure your protection against this particular worm due to it's changing appearance.
"The true originality of Hybris -- and possibly its true danger -- lies in its plug-in architecture. Using a new model never before encountered, the worm can connect to either the alt.comp.virus Usenet newsgroup or to a series of Web sites, and transparently download its own updates similar to Trojan horse programs. One effect of this self-upgrading model is that the worm's signature -- the appearance it presents to anti-virus programs -- can be altered in unpredictable ways, defeating anti-virus products that may only be able to detect its previously known signatures. And not only is Hybris' payload self-upgrading, but its own binary core components are, too, leaving no single element of the worm persistently traceable."
END QUOTE
I've read from a number of different newsgroups, etc. that using an email blocker can and does work. This may not be 100 percent effective but I think it'll help to weed out a lot of these Snowhite emails. Of course, you still need to have good ant-virus protection running as well.
shaani, thanks for the heads-up on the spelling of snowhite. I wanted to also mention that I use another blocking rule for the BODY of the email as well as the FROM line. For #1 I put a check next to WHERE THE MESSAGE BODY CONTAINS SPECIFIC WORDS and for #3 I enter the following text:
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter*
There are some forms of the Snowhite virus that DON'T include [email protected] in the FROM line - they don't have ANYTHING in the FROM line so I use the BODY blocking rule as well. BTW, here is a link to a site that shows a graphic of the message rules template and does a better job than I did of explaining the mail blocking procedure.
http://www.sexyfun.net/oe55/oe550.html
Please let us know if this method works for you.
This Hybris worm AKA Snowhite is believed to have originated from some nasty folks in Brazil. The following site has the BEST information I've found about this worm and I've included a few significant paragraphs from the article below. The bolding is mine:
QUOTE
" In its original version, Hybris distributed itself as an e-mail attachment; however, recent reports indicate that it can also distribute itself using ICQ, an instant messaging platform used by over 30 million people. The worm infects the Windows Internet sockets library file WSOCK32.DLL, enabling it to control users' Internet connections and intercept e-mail addresses of incoming messages using a method similar to that employed by the MTX virus. Once it has obtained an address, Hybris automatically sends itself to the next computer.
Surprisingly, Hybris can also modify the WSOCK32.DLL even if it has been write-protected. In such a case, Hybris makes a copy of WSOCK32.DLL, infects that copy, and then writes the name of the infected copy in the WIN.INI initialization file. The next time Windows is rebooted, the system recognizes the infected library rather than WSOCK32.DLL. The virus ensures its persistence by making a copy of itself with a random name, then writing an entry pointing to this copy in the Windows System Registry -- specifically in the Run_Once Registry key. This way, Hybris can recopy itself even if its original copy is erased.
Another Hybris component actually uploads infected files from users' hard drives to the alt.comp.virus newsgroup. This same component also grabs e-mail addresses from the headers of messages posted to newsgroups to which the user subscribes, and sends copies of itself to those e-mail addresses as attachments. Over the past few weeks, this seems to have increasingly become the way by which the virus is propagating."
END QUOTE
http://www.planetit.com/techcenters/docs/security-hostile_content/news/PIT20010109S0021
posted on February 25, 2001 10:45:04 AM
Thanks for the new info.
I redid the message rules in Outlook Express last night in case I had done it wrong. I haven't received the virus in a couple of days now so I am hoping it is gone.
I e-mail some family and friends regularly and they have never received the Snowhite e-mail.
posted on February 25, 2001 12:51:36 PM
Hi gang. It appeared in my mailbox this afternoon. Thank goodness you guys had posted this thread or else I wouldn't have known!! Could we be getting it from the Auction Watch chat board notification e-mails??? The many faces of Muriel
posted on February 25, 2001 03:38:03 PM
Hey Blanche....Help! Am I going crazy, or did I reply to your post, and you replied "You're welcome, shoshanah"....I can't see it anymore...Where did it go
I hope I did not say anything mean about the virus, and got my post deleted????
Maybe it was on another topic.... hmmmmm!
******** Gosh Shosh!
posted on February 25, 2001 03:44:49 PM
Hey! I found myself.... I was in the "Something weird going on"....Phew! Got scared for a minute Thought I was "lost in Space!"
******** Gosh Shosh!
posted on February 25, 2001 04:43:29 PM
Hey, shosh, you had me going for a minute. I found it in the other thread. Maybe we both need to take a break!!
The many faces of Muriel