This is the Hybris virus, a WIN32 virus which infects WSOCK32.DLL on
Windows 95/98/NT systems. It intercepts network traffic, scanning for
strings which appear to be email addresses, then sending copies of itself
to those addresses. The envelope sender address is always null, making it
difficult to block at the MTA level. I have seen numerous copies of this
virus in the past week, all with the return address "[log in to unmask]"
(not .com). This is a non-existent domain. LISTSERV postmasters can block
it by adding "*@sexyfun.net" to the "FILTER-ALSO" keyword statement in the
site configuration file. List owners can block it by adding that address
to the "FILTER" keyword in the list configuration. For more information
about the Hybris virus, see your favorite anti-virus software vendor's web
site.

To identify the source of a specific Hybris carrier message, analyze the
message headers. If the sender's ISP is using decent mail server software,
you should be able to determine the IP address from which the message
originated and the mail server through which the message was sent. This
information may enable you to identify the sender. At the very least, it
will enable you to identify the sender's ISP. You can then notify the ISP
that one of their customers is using a virus-infected machine. I forward
a copy of the carrier message with complete headers, but without the
attachment.

On Thu, 7 Dec 2000 13:26:53 -0500, Margaret J. Brandt <[log in to unmask]>
wrote:

> ... the from address, [log in to unmask] is not a subscriber to my list.

--
Paul Russell
Senior Systems Administrator
University of Notre Dame