Menu Close

HaHaHa, Snow White and W95.Hybris.gen

It seems that people on every mailing list I’m on and every newsgroup I read have received mail from "HaHaHa" with an attachment that contains a virus. All of them seem to find it necessary to post a warning to the list or newsgroup. With the number of mailing lists I’m on (over 20 just about homeschooling, at last count), that’s a lot of warnings – and many of them have contained misinformation. I’ve tired of writing this over and over and over again, so here it is again and I’ll hope it actually reaches somebody before they send out yet another misguided alert.

First things first: don’t send virus warnings to unrelated mailing lists and newsgroups, please, unless you absolutely know that a particular virus has been distributed via that list or newsgroup. In fact, before sending out any virus warning, please read my article No Thanks, We’re Already Alert and follow the guidelines there.

What is happening is that someone who has your email address in his or her email or newsreader software somewhere–in the address book, or in a message you sent to a newsgroup or mailing list or to the individual–is infected with the W95.Hybris.gen virus. That virus tries to spread itself by sending email to every email address it can find, attaching a virus-infected file.

The attachment sent with the message is usually an .exe (executable) or .scr (Windows screen saver) file. If you open either one, you will probably be infected with the virus. If you have antivirus software installed, updated, and properly configured, you should get a warning while downloading the email that there was a virus-infected file coming in, or at the very least you should get a warning if you attempt to open the file.

The subject line and/or body of the message usually contains something about “Snow White and the Seven Dwarves”–I wouldn’t count on that as always being true, though, because it’s perfectly likely that the virus has or will change to be less obvious. (Update: As of 6 February 2001, I started receiving the virus using other sender names, email addresses, and subject lines, so the virus has morphed. I’ve also received it in other languages that appear to be French and possibly Italian.)

If your system is infected, the virus will send out messages to all the email addresses it can find in your email program. Those messages won’t have your email address or name in the headers, but you might get a message from your ISP if any of the recipients complain. What I’ve done when I received copies of the virus is to send a message to the ISP through which it was sent asking the ISP to let its customer know that his or her system is infected with the W95.Hybris.gen virus so that he or she can disinfect it.

If you don’t know how to figure out which ISP was used to send the message, please check the series of articles I’ve published on reading internet message headers.

Originally published 30 January 2001
Photo by Priscilla Du Preez on Unsplash