Fact Check

Snow White Virus

Information about the 'Snow White' worm.

David Mikkelson

Published Mar 7, 2002

Virus name:   Snow White.


Status:   Real.

Example:   [Collected on the Internet, 2002]




From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...



(This message is accompanied by an attachment with a .SCR or .EXE file extension .)

Origins:   Snow White (also known as W95.Hybris.gen) is a worm activated when a victim receives a message like the one quoted above and executes its attachment. The worm modifies (or replaces) the recipient's wsock32.dll file, then replicates by sending the same message (with a forged return address of hahaha@sexyfun.net to addresses found in the recipient's e-mail (both inbound and outbound messages) or addresses found in web pages browsed by the recipient.

See the links below for more information on how to detect and remove Snow White.

Additional Information:






    W95.Hybris.gen W95.Hybris.gen (Symantec Security Response)
    W32/Hybris.gen@MM W32/Hybris.gen@MM (McAfee Virus Information Library)

Last updated:   29 January 2008

 

By David Mikkelson

David Mikkelson founded the site now known as snopes.com back in 1994.

Read More

Become
a Member

Your membership is the foundation of our sustainability and resilience.

Perks

Ad-Free Browsing on Snopes.com
Members-Only Newsletter
Cancel Anytime
$50.00 per year
$12.50 every 3 months
$5.00 per month
Choose your membership, or see other ways to help
default