Xyzzy
June 23rd, 2001, 11:40
I checked my mail today and noticed another message supposedly from Intelcities. Thinking it was just another message complaining about how Intel is trying to shut them down, I opened it. Strangely enough there was no message text -- only a file named BLIFBLBL.EXE. I scanned it with Nortan Antivirus and received this:
Scan Result
Name of File:
BLIFBLBL.EXE
Type of File:
application/octet-stream
Scan Result:
Virus W95.Hybris.worm found. File NOT
cleaned.
This file contains a computer worm, a program that spreads
very quickly over the Internet to many computers and can
delete files, steal sensitive information, or render your machine
unusable.
This attachment has a virus that may infect your computer.
It cannot be cleaned.
We recommend that you DO NOT download this
attachment.
I checked Symantec and found out the EXE or SCR filename is randomly generated; W95.Hybris.Worm is a dropper file deposited by W95.Hybris.Gen. W95.Hybris.Gen is a nasty program - it modifies wsock32.dll to monitor all your Internet connections. For more information see http://service4.symantec.com/SARC/sarc.nsf/html/W95.Hybris.gen.html .
I can't help but wonder why Intelcities would send out viruses. Maybe someone cracked them. However, I do believe this message was really from Intelcities, here's the headers:
Received:
from mail---------- (216.234.161.170) by mta443.mail.yahoo.com with SMTP; 22 Jun 2001 23:08:22 -0700 (PDT)
Received:
(from root@localhost) by mail---------- (8.11.2/8.11.2) id f5N68Mt27367 for user@yahoo.com; Sat, 23 Jun
2001 00:08:22 -0600 (MDT)
Received:
from intelcities.com (www.kidsafecosmos.com [216.34.78.250]) by mail---------- (8.11.2/8.11.2) with ESMTP id
f5N68Kr27356 for <user@user---------->; Sat, 23 Jun 2001 00:08:21 -0600 (MDT)
From:
IC_Memb-owner@intelcities.com | Block Address | Add to Address Book
Received:
from mycomputer [212.36.6.179] by intelcities.com (SMTPD32-6.00) id A6A02BD70256; Fri, 22 Jun 2001
22:18:24 -0700
MIME-Version:
1.0
Content-Type:
multipart/mixed; boundary="--VED2F4DMJKHIJSP"
Message-Id:
<200106222218410.SM00275@mycomputer>
Subject:
Precedence:
bulk
Sender:
IC_Memb-owner@intelcities.com
Date:
Fri, 22 Jun 2001 23:02:12 -0700
Content-Length:
31736
At least they where kind enough to set their precendence to bulk :-) Has anyone else received this worm?
Scan Result
Name of File:
BLIFBLBL.EXE
Type of File:
application/octet-stream
Scan Result:
Virus W95.Hybris.worm found. File NOT
cleaned.
This file contains a computer worm, a program that spreads
very quickly over the Internet to many computers and can
delete files, steal sensitive information, or render your machine
unusable.
This attachment has a virus that may infect your computer.
It cannot be cleaned.
We recommend that you DO NOT download this
attachment.
I checked Symantec and found out the EXE or SCR filename is randomly generated; W95.Hybris.Worm is a dropper file deposited by W95.Hybris.Gen. W95.Hybris.Gen is a nasty program - it modifies wsock32.dll to monitor all your Internet connections. For more information see http://service4.symantec.com/SARC/sarc.nsf/html/W95.Hybris.gen.html .
I can't help but wonder why Intelcities would send out viruses. Maybe someone cracked them. However, I do believe this message was really from Intelcities, here's the headers:
Received:
from mail---------- (216.234.161.170) by mta443.mail.yahoo.com with SMTP; 22 Jun 2001 23:08:22 -0700 (PDT)
Received:
(from root@localhost) by mail---------- (8.11.2/8.11.2) id f5N68Mt27367 for user@yahoo.com; Sat, 23 Jun
2001 00:08:22 -0600 (MDT)
Received:
from intelcities.com (www.kidsafecosmos.com [216.34.78.250]) by mail---------- (8.11.2/8.11.2) with ESMTP id
f5N68Kr27356 for <user@user---------->; Sat, 23 Jun 2001 00:08:21 -0600 (MDT)
From:
IC_Memb-owner@intelcities.com | Block Address | Add to Address Book
Received:
from mycomputer [212.36.6.179] by intelcities.com (SMTPD32-6.00) id A6A02BD70256; Fri, 22 Jun 2001
22:18:24 -0700
MIME-Version:
1.0
Content-Type:
multipart/mixed; boundary="--VED2F4DMJKHIJSP"
Message-Id:
<200106222218410.SM00275@mycomputer>
Subject:
Precedence:
bulk
Sender:
IC_Memb-owner@intelcities.com
Date:
Fri, 22 Jun 2001 23:02:12 -0700
Content-Length:
31736
At least they where kind enough to set their precendence to bulk :-) Has anyone else received this worm?