At 18:09 2/15/01, Hans Van Veluwen wrote:
The virus that was sent to the list was a real one, and a nasty one too.
It is called W32/Hybris.gen@M
Fortunately the OM-listserver seems to have removed the executable.
This is a very persistent e-mail virus; it has been sent to me at least five
times in the last couple of months.
I have come to the same conclusion. What wasn't given in the synopsis is
that it's truly a "full service" worm. It also goes out to various places
on the internet, notably a specific USENET newsgroup, to download and
assemble various plug-ins in bin-hex format.
One of these plug-ins will invade every "zip" archive with an "exe"
executable in it, rename the original "exe" to another extension, and
insert an "exe" of the same file name. The new executable is a "drop-in"
loader that, when executed, reinstalls the worm on your machine if it has
been removed, and then executes the original (now renamed) "exe" in the
archive so you never know it happened. In creating the drop-in loader, the
worm also mutates it in an attempt to evade detection.
No B.S. This is the one that hit my machine in January and I had to clean
out dozens of "zip" archives to get rid of it completely. Apparently
whatever the original attached executable was, it somehow executed itself
while I was deleting it. Took me an entire weekend and I found no less
than three variants of mutated drop-in loaders in the archives. BTW,
that's not the only plug-in for it, there are some other ones too, some of
which are more destructive to various "exe" files . . . in other words they
cannot be disinfected. It makes the latest "Anna" one pretty benign by
comparison.
-- John
< This message was delivered via the Olympus Mailing List >
< For questions, mailto:owner-olympus@xxxxxxxxxxxxxxx >
< Web Page: http://Zuiko.sls.bc.ca/swright/olympuslist.html >
|