[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: w32.hybris.gen.Virus

Subject: Re: w32.hybris.gen.Virus
From: usenet.spam@gunzel.net (Michael)
Date: Thu, 30 Nov 2000 02:03:59 GMT
Newsgroups: aus.rail
Organization: bleah
References: <3a225999$0$19417$7f31c96c@news01.syd.optusnet.com.au> <8FFAEEEB1gunzelT333@203.164.20.149> <4FPU5.58520$DG3.1108244@news2.giganews.com> <xU0V5.6729$KY1.18061@news1.rivrw1.nsw.optushome.com.au> <3a2501dc$0$2855$7f31c96c@news01.syd.optusnet.com.au>
User-Agent: Xnews/03.08.04
Xref: bclass.spectrum.com.au aus.rail:25722

Rod [comtrain] <Comtrain@optusnet.com.au> wrote in article
<3a2501dc$0$2855$7f31c96c@news01.syd.optusnet.com.au>: 

>>Still, sending viruses isn't nice, but people don't often mean to do
>>it. The fact is that viruses CAN spread automatically, and transfer is
>>usually accidental.

>This might be true in general, but when people use provocative alias and
>go to a lot of trouble to keep their identities secret, we could be
>forgiven for believing the opposite to be true. 

>From the DataFellows website, the "Hybris" worm, automatically distributes 
itself by sending itself to people [it's unclear where addresses come from, 
but presuming inbox and newsgroup messages], using "Hahaha 
<hahaha@sexyfun.net>" as the sender address. 

This particular one, came from the Newcastle POP of either Optusnet or 
Dingoblue (they both use the same dial-in equipment). I received two copies 
of it, along with two copies of another originating from the same 
POP/Domain. (See headers at bottom of post)

>Our Wodonga group has
>decided to react after the authorities we have been sending our
>complaints to have failed to handle this group of hackers.
>We also believe when the University closes down later this month, and
>the little darlings are back home, things might quieten down. In the
>meantime our "asio" nuke has slowed them down a lot.Unfortunately our
>reaction only compounds the problem, as we have been advised our "nuke"
>caused many more problems, than those that we reacted to in the first
>place. The web as we know it is not going to survive the idiots and
>those that react to them[ in the long run] :O(

Just be very careful what you say here (: [DoS is highly illegal, no 
matter how desirable it seems in cases like this]

What amazes me, is that people STILL run exe files from any source without 
knowing the consequences. It's always good to delete any exe attachment you 
receive, as soon as you receive it - as you can always unintentionally run 
it in the future, even if you do know what you're doing.

In relation to the two messages received however, the headers (slightly 
munged to de-spam my real email address) are shown below:

[You will notice i DO get emails automatically sent to 
usenet.spam@gunzel.net, but they get binned into the "Spam" mailbox]

Message #1:

Received: from mail.worfie.net (qmailr@shaker.worfie.net [203.8.161.33])
	by emerald.cns.net.au (8.9.3/8.9.3) with SMTP id LAA14874
	for <xx@xxxxxxx.xxx.xx>; Mon, 27 Nov 2000 11:55:52 +1100
Date: Mon, 27 Nov 2000 11:55:52 +1100
Message-Id: <200011270055.LAA14874@emerald.cns.net.au>
Received: (qmail 20177 invoked by uid 520); 27 Nov 2000 00:51:20 -0000
Delivered-To: gunzel-usenet.spam@gunzel.net
Received: (qmail 20173 invoked from network); 27 Nov 2000 00:51:07 -0000
Received: from newax3-020.dialup.optusnet.com.au (HELO hppav) 
(198.142.166.20)
  by gunzel.net with SMTP; 27 Nov 2000 00:51:07 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VED6FKDY7"
Status: RO

[Note, no subject, no sender information - sent from 
newax3-020.dialup.optusnet.com.au]

Message #2:

Received: from mail.worfie.net (qmailr@shaker.worfie.net [203.8.161.33])
	by emerald.cns.net.au (8.9.3/8.9.3) with SMTP id MAA15876
	for <xx@xxxxxx.xxx.xx>; Mon, 27 Nov 2000 12:49:17 +1100
Received: (qmail 20445 invoked by uid 520); 27 Nov 2000 01:44:45 -0000
Delivered-To: gunzel-usenet.spam@gunzel.net
Received: (qmail 20441 invoked from network); 27 Nov 2000 01:44:44 -0000
Received: from mail001.syd.optusnet.com.au (203.2.75.244)
  by gunzel.net with SMTP; 27 Nov 2000 01:44:44 -0000
Received: from hppav (newax3-020.dialup.optusnet.com.au [198.142.166.20])
	by mail001.syd.optusnet.com.au (8.11.1/8.11.1) with SMTP id 
eAR1h1S22854
	for <usenet.spam@gunzel.net (Michael)>; Mon, 27 Nov 2000 12:43:03 
+1100
Date: Mon, 27 Nov 2000 12:43:03 +1100
Message-Id: <200011270143.eAR1h1S22854@mail001.syd.optusnet.com.au>
From: Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEIN4DIVG9"
Status: RO

[Noting, this came from the same IP address, is date stamped, and has a 
sender/subject]

I haven't seen anything come from this host for a few days, so I would 
suggest that some person in Newcastle using Dingoblue or Optusnet has had 
their account pulled, or have realised that their computer had been 
infected.

For more information on the Hybris worm, go to:

http://www.datafellows.com/v-descs/hybris.htm

While going further off topic - I had the wonderful task of removing the 
Matrix worm off a computer last week. Fun.

Regards,
Michael

-- 
(To email me just remove ".spam" off my email address).

Whip me, Beat me, just don't Windows ME

References:
- w32.hybris.gen.Virus
  - From: "Rod [comtrain]" <Comtrain@optusnet.com.au>
- Re: w32.hybris.gen.Virus
  - From: usenet.spam@gunzel.net (Michael)
- Re: w32.hybris.gen.Virus
  - From: "Dave Proctor" <daproc@spambait.ozemail.com.au>
- Re: w32.hybris.gen.Virus
  - From: "-Mitch-" <mitch@aus.rail>
- Re: w32.hybris.gen.Virus
  - From: "Rod [comtrain]" <Comtrain@optusnet.com.au>

Prev by Date: Re: [Melb] Old railway line
Next by Date: Re: VIC: Grinder causes another fire on NE line
Prev by thread: Re: w32.hybris.gen.Virus
Next by thread: Re: w32.hybris.gen.Virus
Index(es):
- Date
- Thread