Menu Close

HaHaHa, Snow White and W95.Hybris.gen

It seems that peo­ple on every mail­ing list I’m on and every news­group I read have received mail from “HaHa­Ha” with an attach­ment that con­tains a virus. All of them seem to find it nec­es­sary to post a warn­ing to the list or news­group. With the num­ber of mail­ing lists I’m on (over 20 just about home­school­ing, at last count), that’s a lot of warn­ings — and many of them have con­tained mis­in­for­ma­tion. I’ve tired of writ­ing this over and over and over again, so here it is again and I’ll hope it actu­al­ly reach­es some­body before they send out yet anoth­er mis­guid­ed alert. 

First things first: don’t send virus warn­ings to unre­lat­ed mail­ing lists and news­groups, please, unless you absolute­ly know that a par­tic­u­lar virus has been dis­trib­uted via that list or news­group. In fact, before send­ing out any virus warn­ing, please read my arti­cle No Thanks, We’re Already Alert and fol­low the guide­lines there. 

What is hap­pen­ing is that some­one who has your email address in his or her email or news­read­er soft­ware somewhere–in the address book, or in a mes­sage you sent to a news­group or mail­ing list or to the individual–is infect­ed with the W95.Hybris.gen virus. That virus tries to spread itself by send­ing email to every email address it can find, attach­ing a virus-infect­ed file. 

The attach­ment sent with the mes­sage is usu­al­ly an .exe (exe­cutable) or .scr (Win­dows screen saver) file. If you open either one, you will prob­a­bly be infect­ed with the virus. If you have antivirus soft­ware installed, updat­ed, and prop­er­ly con­fig­ured, you should get a warn­ing while down­load­ing the email that there was a virus-infect­ed file com­ing in, or at the very least you should get a warn­ing if you attempt to open the file. 

The sub­ject line and/or body of the mes­sage usu­al­ly con­tains some­thing about “Snow White and the Sev­en Dwarves”–I would­n’t count on that as always being true, though, because it’s per­fect­ly like­ly that the virus has or will change to be less obvi­ous. (Update: As of 6 Feb­ru­ary 2001, I start­ed receiv­ing the virus using oth­er sender names, email address­es, and sub­ject lines, so the virus has mor­phed. I’ve also received it in oth­er lan­guages that appear to be French and pos­si­bly Italian.) 

If your sys­tem is infect­ed, the virus will send out mes­sages to all the email address­es it can find in your email pro­gram. Those mes­sages won’t have your email address or name in the head­ers, but you might get a mes­sage from your ISP if any of the recip­i­ents com­plain. What I’ve done when I received copies of the virus is to send a mes­sage to the ISP through which it was sent ask­ing the ISP to let its cus­tomer know that his or her sys­tem is infect­ed with the W95.Hybris.gen virus so that he or she can dis­in­fect it. 

If you don’t know how to fig­ure out which ISP was used to send the mes­sage, please check the series of arti­cles I’ve pub­lished on read­ing inter­net mes­sage head­ers.

Orig­i­nal­ly pub­lished 30 Jan­u­ary 2001
Pho­to by Priscil­la Du Preez on Unsplash