It seems that peo­ple on every mail­ing list I’m on and every news­group I read have received mail from “HaHa­Ha” with an attach­ment that con­tains a virus. All of them seem to find it nec­es­sary to post a warn­ing to the list or news­group. With the num­ber of mail­ing lists I’m on (over 20 just about home­school­ing, at last count), that’s a lot of warn­ings — and many of them have con­tained mis­in­for­ma­tion. I’ve tired of writ­ing this over and over and over again, so here it is again and I’ll hope it actu­al­ly reach­es some­body before he or she sends out yet anoth­er mis­guid­ed alert.

First, don’t send virus warn­ings to unre­lat­ed mail­ing lists and news­groups, please, unless you absolute­ly know that a virus has been dis­trib­uted via that list or news­group. In fact, before send­ing out any virus warn­ing, please read my arti­cle No Thanks, We’re Already Alert and fol­low the guide­lines there.

Sec­ond, there isn’t an indi­vid­ual with the email address “HaHaHa@sexyfun.net” who is send­ing you email. In fact, the cur­rent own­er of the sexyfun.net domain, Casey Black­burn is try­ing to stop the virus and he had noth­ing to do with its ori­gin. He and his friend Gary keep that web site up in an attempt to edu­cate peo­ple about the virus. Since the domain wasn’t reg­is­tered until Decem­ber 11, 2000 and the virus appeared well before that date (Symantec’s web site says that it appeared Sep­tem­ber 25, 2000), I see no rea­son to doubt Blackburn’s claims. Don’t com­plain to sexyfun.net, their upstream providers, etc. about the virus. In any case, you aren’t being tar­get­ed per­son­al­ly.

What is hap­pen­ing is that some­one who has your email address in his or her email or news­read­er soft­ware some­where — in the address book, or in a mes­sage you sent to a news­group or mail­ing list or to the indi­vid­ual — is infect­ed with the W95.Hybris.gen virus. That virus tries to spread itself by send­ing email to every email address it can find, attach­ing a virus-infect­ed file.

The attach­ment sent with the mes­sage is usu­al­ly an .exe (exe­cutable) or .scr (Win­dows screen saver) file. If you exe­cute either one, you will prob­a­bly be infect­ed with the virus. If you have antivirus soft­ware installed, updat­ed, and prop­er­ly con­fig­ured, you should get a warn­ing while down­load­ing the email that there was a virus-infect­ed file com­ing in, or at the very least you should get a warn­ing if you attempt to open the file.

The sub­ject line and/or body of the mes­sage usu­al­ly con­tains some­thing about “Snow White and the Sev­en dwarves” — I wouldn’t count on that as always being true, though, because it’s per­fect­ly like­ly that the virus has or will change to be less obvi­ous. (Update: As of Feb­ru­ary 6, I start­ed receiv­ing the virus using oth­er sender names, email address­es and sub­ject lines, so the virus has mor­phed. I’ve also received it in oth­er lan­guages that appear to be French and pos­si­bly Ital­ian.)

If your sys­tem is infect­ed, the virus will send our mes­sages to all the email address­es it can find in your email pro­gram. Those mes­sages won’t have your email address or name in the head­ers, but you might get a mes­sage from your ISP if any of the recip­i­ents com­plain. What I’ve done when I received copies of the virus is to send a mes­sage to the ISP through which it was sent ask­ing the ISP to let its cus­tomer know that his or her sys­tem is infect­ed with the W95.Hybris.gen virus so that he or she can dis­in­fect it.

If you don’t know how to fig­ure out which ISP was used to send the mes­sage, please check the series of arti­cles I’ll be pub­lish­ing over the next few days on read­ing inter­net mes­sage head­ers.

Orig­i­nal­ly pub­lished Jan­u­ary 30, 2001