April 23rd, 2002, 08:43 PM
Background: A couple of months ago, my ISP decided to provide its customers with a free - customized - copy of Norton Internet Security 2002.
Today, I got a mail from my provider:
Here's what I've tried/found out so far:
Skynet Customer Care
You dispose of the Security Pack with therein a user’s licence for the Norton Internet Security 2002 software.
We have recently learned that this CD-Rom contains an inactive virus (W95.Hybris.gen). We ensure you that the source of infection can not be imputed to the Norton internet Security 2002. A deeper investigation should enable us to define the cause of the infection. The virus cannot
activate itself. It is only present on the CD-Rom and cannot infect your pc.
In fact, it cannot become active unless you perform a series of complex actions that are not necessary to install the Security Pack. And even
if, for some reason, the virus is activated, your pc is not in any danger. The Norton antivirus software will detect and automatically
neutralise it (if the option “autoscan” that is activated by default, has not been deactivated).
Belgacom Skynet commits itself to send you a new CD-Rom in the next 4 weeks.
If you wish to install the Security Pack in the meantime, we recommend you follow the usual procedure as mentioned on
When you have received the new CD-ROM, there is no need to install the new version if the old one is still present on your pc. We recommend
to throw away the old CD-Rom and to keep the new one just in case an installation should be necessary in the future (for instance, if you
have bought a new computer or if Norton Internet Security 2002 is no longer available on your pc).
Customer Care Director
- I virusscanned the CD with Kasperksy. Kaspersky didn't find anything.
- I ran Tauscan on the CD. Kaspersky went ballistic, saying C:\Documents and Settings\Admin\Local Settings\Temp\tnp534.tmp.exe and /tnp320D.tmp.exe and /tnp3608.tmp.exe are infected with the W95.Hybris.gen-virus.
- I virusscanned the CD with Norton. Norton found three instances of the virus:
F:\nis\en\support\navtools\repair\fixhybf.zip, F:\nis\nl\support\navtools\repair\fixhybf.zip, F:\nis\fr\support\navtools\repair\fixhybf.zip
(the CD comes in three languages: dutch (nl), french (fr) and english (en)). It couldn't disinfect the files - it did quarantaine them though.
- Tauscanning the CD gave me the same results as with Kaspersky.
- I virusscanned my HDD with both Kaspersky and Norton. They didn't find anything. I unzipped the fixhybf.zip to my HDD. Both Kaspersky and Norton went ballistic.
- According to Norton,the W95.HybrisF Fix Tool will repair the infection caused by W95.HybrisF. Too bad the file 'repair-tool' is infected with the virus itself... *sigh*.
Here are my questions: 'It cannot become active unless you perform a series of complex actions....'. Tauscanning a CD isn't that complex, is it? I'd be interested in knowing how Tauscan works though, since the virus was found in my temp-files.
What's the use of the zipped files on the CD if they - obviously - aren't used by Norton?
April 23rd, 2002, 09:01 PM
Sound like somebodies ISP has their head so far up their a$$ they can't even provide a piss poor program like Norton without screwing it up.
I feel for you Neg. I don't know if I could put up with that.
It's enough to make you go postal.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
April 23rd, 2002, 09:07 PM
Man, talking about screwups... well, I guess it's nice of them to inform you, and replace the CD - and any idiot can understand the letter they wrote, so, thumbs up for the mopping up...
Come to think of it - Nice of them to send you a copy of a virus-scanner in the first place. My ISP (Planet Internet) offers only server sided virus scans of email, at a charge of €1.95 a month for each mailbox (more info in Dutch).
Oh, and by the way:
That's probably because the file is on your CD-Rom, which is readonly (if I had 5 cents for every time I didn't think of that...)
It couldn't disinfect the files - it did quarantaine them though.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
April 23rd, 2002, 09:16 PM
Gotta love when that happens. Makes me lose faith in isp's. That is kinda wierd that they showed up in your temp files. We told you you should be running mandrake instead negative, but noooo, you had to go back to 2000/XP.
\"Ignorance is bliss....
but only for your enemy\"
April 23rd, 2002, 09:22 PM
My ISP uses BSD... Guess that's why they didn't spot the virus
Oh, and Guus... ugh... Norton couldn't disinfect them on my HDD either... thx for pointing that out
April 23rd, 2002, 09:24 PM
wow, what is this world coming too. You would think that your ISP would run a virus scan on anything they sent out to customers. Hopefully they will from now on. There is a lesson to be learned here. Scan everything for viruses, even a virus scanner. Nothing is completely safe from being infected.
April 23rd, 2002, 09:34 PM
Hi Negative, if you are concerned about being infected, you might want to check the following Reg Keys.
Hybris will piss around with these keys if it can't replace or modify the Wsock32.dll.
Don't know if that helps, just a thought.