HaHaHa, Snow White and W95.Hybris.gen
It seems that people on every mailing list I’m on and every newsgroup I read have received mail from “HaHaHa” with an attachment that contains a virus. All of them seem to find it necessary to post a warning to the list or newsgroup. With the number of mailing lists I’m on (over 20 just about homeschooling, at last count), that’s a lot of warnings — and many of them have contained misinformation. I’ve tired of writing this over and over and over again, so here it is again and I’ll hope it actually reaches somebody before he or she sends out yet another misguided alert.
First, don’t send virus warnings to unrelated mailing lists and newsgroups, please, unless you absolutely know that a virus has been distributed via that list or newsgroup. In fact, before sending out any virus warning, please read my article No Thanks, We’re Already Alert and follow the guidelines there.
Second, there isn’t an individual with the email address “HaHaHa@sexyfun.net” who is sending you email. In fact, the current owner of the sexyfun.net domain, Casey Blackburn is trying to stop the virus and he had nothing to do with its origin. He and his friend Gary keep that web site up in an attempt to educate people about the virus. Since the domain wasn’t registered until December 11, 2000 and the virus appeared well before that date (Symantec’s web site says that it appeared September 25, 2000), I see no reason to doubt Blackburn’s claims. Don’t complain to sexyfun.net, their upstream providers, etc. about the virus. In any case, you aren’t being targeted personally.
What is happening is that someone who has your email address in his or her email or newsreader software somewhere — in the address book, or in a message you sent to a newsgroup or mailing list or to the individual — is infected with the W95.Hybris.gen virus. That virus tries to spread itself by sending email to every email address it can find, attaching a virus-infected file.
The attachment sent with the message is usually an .exe (executable) or .scr (Windows screen saver) file. If you execute either one, you will probably be infected with the virus. If you have antivirus software installed, updated, and properly configured, you should get a warning while downloading the email that there was a virus-infected file coming in, or at the very least you should get a warning if you attempt to open the file.
The subject line and/or body of the message usually contains something about “Snow White and the Seven dwarves” — I wouldn’t count on that as always being true, though, because it’s perfectly likely that the virus has or will change to be less obvious. (Update: As of February 6, I started receiving the virus using other sender names, email addresses and subject lines, so the virus has morphed. I’ve also received it in other languages that appear to be French and possibly Italian.)
If your system is infected, the virus will send our messages to all the email addresses it can find in your email program. Those messages won’t have your email address or name in the headers, but you might get a message from your ISP if any of the recipients complain. What I’ve done when I received copies of the virus is to send a message to the ISP through which it was sent asking the ISP to let its customer know that his or her system is infected with the W95.Hybris.gen virus so that he or she can disinfect it.
If you don’t know how to figure out which ISP was used to send the message, please check the series of articles I’ll be publishing over the next few days on reading internet message headers.
Originally published January 30, 2001