RIVER BENDER - February, 2001
On December 13, 300 members of the New Bern Computer Users Group received a strange e-mail message from Hahaha@sexyfun.net. The harmless message spoke about Snow White and the seven dwarfs but the file attached to the message contained a virus called "Hybris." Once the attached file was opened the recipient's PC became infected. Despite repeated warnings to members never to open strange attachments several members apparently opened the file and all hell broke lose. By Christmas, every NBCUG member had received over 30 Hahaha messages addressed to the club. I received 19 additional messages sent directly to my e-mail address. How in the world did this happen?
We weren't sure of the extent of the Hybris virus until the NBCUG monthly meeting was held on December 16. By coincidence, the program just happened to be on viruses and 113 people showed up - about twice the usual attendance. The meeting began with a question of how many people had received a message from hahaha@sexyfun.net and all hands raised. We then knew that we had a serious problem but at the time were only starting to learn about Hybris.
How did the Hybris virus work? Once the attachment to a Hahaha message was opened the virus went to work harvesting e-mail addresses coming in and out of one's PC. For example, if a PC was infected and received a message addressed to all NBCUG members the virus would pick up the NBCUG address and use it to send a Hahaha message to every member at some later date and time using a fake return address hahaha@sexyfun.net. This went on day after day and got so bad that each time members checked incoming mail there would be several Hahaha messages waiting to be downloaded.
NBCUG members with an active anti-virus program were the most annoyed because each Hahaha message triggered an alert that had to be responded to. Those without anti-virus software simply received the harmless messages and deleted them along with the payload attachment. I was kept busy responding to requests to be removed from the NBCUG e-mail list but surprisingly only about 20 members left out of 300 with e-mail. I saved all Hybris messages to examine the headers and determine to whom they were addressed and possibly who sent them so senders could be alerted.
As members learned more about Hybris (the name happens to be the Greek mythical God of Insolence), messages were sent to members on how to determine infection and what to do about it. Most of the information was posted on a new bulletin board accessible at NBCUG's web page at http://www4.coastalnet.com/nbcug. The solution was to determine if the virus had corrupted a file called wsock32.dll and if so how to restore it.
At one point during the frenzy of Hahaha messages, some members wanted to have the NBCUG e-mail list shut down. As an alternative the address of the list was changed hoping that it might help but the virus soon ferreted out the new address and messages continued. Many members suggested that their ISPs start scanning e-mail for viruses.
By coincidence the ISP Always-Online had offered to host the NBCUG list and scan for viruses. After determining that most members preferred moving the list the club formed a small test group to give Always-Online a try. The tests turned out to be a success. Live Hybris virus attachments were sent to the test group and were caught by Always-Online. On December 29, NBCUG's list was moved using the new address nbcug@always-online.com where it became a closed list that only members were able to use.
The Hybris virus finally settled down. Strangely, as of this writing the River Bend e-mail list was never hit. In retrospect Hybris was a good lesson for the many people who were prone to open strange e-mail attachments. The club was sorry to lose those that couldn't stand the heat and requested to be removed from the e-mail list. One can only hope that they didn't become infected and continue sending the virus out unknowingly to their friends. Those that remained on the list at least had the advantage of receiving help from the many messages that were sent on how to detect and get rid of the virus.