Web Informant #238, 26 February 2001:
Learning from Snow White


Someone sent me the "Snow White" virus last week, and while I don't think it infected my computer, it got me started down a path of investigation that I'd like to share with you today. The virus is one of the Hybris class that goes around as an email attachment, and is yet another reason that all of us should be running some kind of scanning software.

Those of you that aren't using these tools should read this excellent series of suggestions from Claymania.com, what they nicely call practicing safe-hex.

Like many people, the first thing I did was look at where the virus was coming from. The email message I received said it was from hahaha@sexyfun.net. Naturally, I thought it was just another porn site, but I was surprised when I did a whois lookup on this domain (easywhois.com is one of many such services). I found an interesting result: it was almost as if some good Samaritan was trying to provide anti-virus information in the actual whois record, anticipating that I (and others like me) would try to track this stuff down, The record looks like this:

For Virus/Spam Help or Questions Go To
WWW.SEXYFUN.NET. NC 27609 US 919-875-4974
The From Field Is Faked

If this information was to be believed, it meant that the sexyfun.net domain wasn't where the virus actually originated. This sort of thing is very typical with many viruses, which can rewrite email header information to some made-up address. What was curious was how Blackburn had manipulated the whois record for his domain. To get more information, I spoke to Gary Moe, who hosts the sexyfun.net web site.

Both Moe and Blackburn are network system administrators with good hearts. Moe's company provides the web hosting resources for the domain, while Blackburn did most of the work creating the content. Moe told me, "Our main goal was to help people who were running into this problem, and raise public awareness. We aren't into this for making money. Indeed, we have turned down several offers to post banner ads pushing particular products on our site."

A nice sentiment, indeed. If you go to Blackburn's web site, you'll be impressed too. It was filled with lots of good information on how to eradicate this virus, along with lots of tips on how to setup mail filters to prevent future attacks. Blackburn and Moe also provide links to the major anti-virus software vendors, so you can research the virus yourself if you don't believe them. Moe told me that they have received plenty of angry emails from people who think they created this virus. (The latest information is a Brazilian group is the author.)

And, I did learn a few things in the process. First, I came across a helpful newsgroup called alt.comp.virus (remember newsgroups?) that discusses things you can do to keep your system virus-free. And while there were several thousand messages when I checked this morning, I could easily sort through them to find out more about Snow White and Hybris.

And when I followed a link on Blackburn's site, I found a discussion about one "feature" of Windows ME that isn't widely known, the ability to automatically do a system restore to a previous state. I remember when I first came across this feature, I thought, what a great idea. However, as you read this bulletin from Microsoft, you find out that the restore function can keep virus scanners from completely removing infected system files, and you might have to turn off the automatic restores before you can get rid of the infection completely.

Anyway, I mention this not to knock Windows ME but to point out that things have gotten very complicated and even the most experienced computer user will have to keep up to date on the latest twists and turns to stay ahead of the twisted people that create these viruses.

So let's praise people like Blackburn and Moe. They are a reminder of the kind of culture that was common on the Internet ten or so years ago. Blackburn and Moe didn't have to go through all this trouble to buy the domain name and host a site and prepare all these pages. They could have just done nothing. Instead, they are trying to help others who have less knowledge than they do, by providing tons of tools and helpful advice. Of course, you have to know where to look for this advice, and sometimes tracking it down isn't easy. But their site offers a great starting place, and more people should emulate them.

In the meantime, don't be tempted to open those email attachments, and keep those virus scanners up to date.

To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 2001 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.