The Hybris virus infects one or more network components on Windows 95, 98,
and NT systems. The infected component is always in use when Windows is
active, making it difficult to disinfect the system using only anti-virus
software which runs under Windows. The virus works by intercepting all
network traffic (email, web, telnet, ftp, etc.) to and from the infected
system, scanning for strings which appear to be email addresses, and
sending copies of itself to those addresses. If a list subscriber is using
an infected machine, copies of the virus might be sent to the list address,
the list owner address, and any subscriber addresses which appear in email
messages or in the list archives.

I have seen hundreds of carrier messages for this virus in the past several
weeks, each with a null envelope sender (return-path) address, a "from"
address of <[log in to unmask]>, and a subject line and message body which
make it appear that the message is a lewd joke about Snow White and the
Seven Dwarfs. While the "from" address, subject line, and message text do
not change, the filename of the attachment may vary, even on messages sent
from the same infected system.

The null envelope sender address makes it difficult to block these messages
at the mail server level, unless the mail server is doing virus detection
or other forms of content filtering, however, the constant "from" address
can be filtered by LISTSERV, either at the site level or the list level.

Most, if not all, anti-virus software vendors have detailed information
about the Hybris virus on their web sites.

--
Paul Russell
Senior Systems Administrator
University of Notre Dame