Aloha! The only info I have for John Lincoln is b: 5/3/1716 in Freehold, Monmouth Co., NJ d: 11/1778 m: Rebecca (Moore?) Flowers 7/5/1743 in Berks Co., PA. b: 3/30/1720 d: 7/20/1806. These children listed: Abraham b: 5/13/1744 (Honest Abe's grandaddy), John Jr., Thomas, Isaac, Jacob. No real dates on the siblings of Abraham, just "abt" dates based on Abraham's birth year. No Hannah listed. Family only notes thay had 5 sons. Family notes that John Sr. moved from Berks Co., PA with his five sons in 1790 to Rockingham Co., VA. 20 years later, Abraham and his wife (grandparents of Honest Abe) in 1780 moved to Hardin Co., KY. Note above I have Rebecca's name with (Moore?). Family noted her name as Rebecca Moore Lincoln, but other researchers have Flowers. I also found that she was married to a James Morris. Poss the family meant Rebecca Morris Lincoln? You can see the Lincoln family info I extracted from our family book "The Boone Families 1605-1975". I also have photos of Abe, Mary Todd, Capt. Robert Todd Lincoln, William Wallace Lincoln and Thomas "Tad" Lincoln posted on Abe Lincoln's page. Mahalo! S. Viehweg Viehweg Family Homepage http://www.viehweg.org

Aloha! No, we live on Maui in Hawaii. Hubby has been here for 17 years, I have been here 14. His family still reside in Montgomery and Macoupin Co., IL. He lived in Mt. Olive, the families reside in both Mt. Olive and Litchfield. His grandmother, Gladys Hope, is a daughter of Johanna Davis Boone. Gladys is still living, but she has Alzheimers, and living in a nursing home in Litchfield. Not sure, but I believe a lot of our Boone's are buried in Hillsboro, IL., possibly in Waveland Cemetery. Next visit home, I'll have to go and see who I find buried there. I don't have any info on Hezekiah other than he was born 1732 Exeter, Berks Co., PA d: 1823 Woodford Co., KY m: Rebecca Freelove with one son listed Solomon Boone. That's it. Mahalo! S. Viehweg Viehweg Family Homepage http://www.viehweg.org

I just received a copy of Edward M. Boone's service record with the 32nd Iowa Infantry in the War of the Rebellion. It has a copy of his enlistment with his signature and a letter of consent from his father William Myrtle Boone with his signature. I will share copies will relatives to this line. Contact me and I will e mail a copy and share other information. Does anyone have a picture of Edward M. Boone? I just received a box of old pictures and many were taken in Sundance Wyoming where Edward died. Of course very few were labeled.

Aloha! Seeking info to fill in some blanks. Hubby descends from 1) George Boone IV 2) William Boone m: Sarah Lincoln (2nd gr.aunt of Honest Abe) 3) William Boone m: Susannah Parks 4) Mordicai Boone m: Susan Shank 5) Cyrus Boone m: Susan Davis Bugbie In March, 1851, Cyrus Boone sold out his store at Beaver Creek, closed up business, and with his wife, Susan Davis Bugbie Boone, and five children left Maryland and by stage and steamboat went to Montgomery Co., Ill. 6) Joseph Henry Boone m: Margaret Johanna Bishop 7) Johanna Davis "Daisy" Boone m: Oscar Lee Hope Our family compiled our Boone, Lincoln, Jenkins history and distributed a family book titled "The Boone Families 1605-1975". Please visit my site to view misc history and other items. Mahalo! S. Viehweg Viehweg Family Homepage http://www.viehweg.org

In a message dated 5/13/2001 12:48:52 AM Central Daylight Time, [email protected] writes: > http://sbaldw.home.mindspring.com/e_morgan.htm > Please consider Stewart Baldwin a reliable source. He is a contributer to the medieval genealogy newsgroup. He does good work. Dave Botts

Ancestry.com has opened up access to people who died in California 1940-1997 including 2,765 Boones born across the Country. But it is searchable. I used "Boone, Mississippi" and reduced that down to 87 Boones born in Mississippi including some know relations. I used "Boone, Kentucky" and whittled it down to 87 possibles. I used "Boone, Walker" and came up with 10 people who had Boone or Walker as part of their last name or parent's last name. Here's the site and a couple of my kin (one family - people I knew and met) that I found there: http://www.ancestry.com/search/rectype/inddbs/5180.htm Surname Given Name Middle Name Sex Birth Date Death Date Birth Place Death Place Social Security # Mother's Maiden Name Father's Surname BOONE FRANK WALKER MALE 11/16/1894 10/11/1951 MISSISSIPPI LOS ANGELES (SSN deleted) POTTER BOONE BOONE VIRGINIA W FEMALE 05/11/1896 04/01/1977 MISSOURI LOS ANGELES (SSN deleted) I believe this birth is in error. This was Virginia Walker Boone. PARTEN BETTY MARIE FEMALE 03/07/1923 07/16/1989 CALIFORNIA LOS ANGELES (SSN deleted) WALKER BOONE

Just curious here: can anyone identify the Michael WAREN listed below? Reason is, I keep seeing his name in connection with the folks I'm following, & just wonder "who" he was/his connection. Thanks, Kathryn =============================== [email protected] wrote: > > #2 [BOONE-L] Wills 1748 - 1757 Philad > > Subject: [BOONE-L] Wills 1748 - 1757 Philadelphia Co, PA > Date: Sat, 12 May 2001 22:49:20 -0400 > From: "ronboone" <[email protected]> > To: [email protected] > > Wills: Abstracts, Book J: 1748 - 1752: Philadelphia Co, PA > http://ftp.rootsweb.com/pub/usgenweb/pa/philadelphia/wills/willabstrbkj.txt > > NOTE: Dates are will 'written' and will 'proved'. > > SADLER, CONRAD. Exeter, Co. of Philadelphia. > January 7, 1748/9. February 3, 1748. J.56. > Wife: Mary. Children: Philip and others. > Exec: Mary Sadler, Robert Partison. > Wit: William BOONE, Michael Waren, George Lotz. >

Edward Morgan of Gwynedd, PA http://sbaldw.home.mindspring.com/e_morgan.htm This page by Stewart Baldwin has an excellent descendancy chart listing the children, grandchildren, and great-grandchildren of Edward MORGAN and Elizabeth (Jarman?); those descendents listed include the children and grandchildren of Sarah MORGAN and Squire BOONE; the format is very easy to read - scroll down about 2/3 of the page. Also, Wills: Abstracts, Book J: 1745 - 1747: Philadelphia Co, PA http://ftp.rootsweb.com/pub/usgenweb/pa/philadelphia/wills/willabstrbkl.txt MORGAN, JESSE. Whitpain, Co. of Philadelphia. 4 mo. 13, 1757. September 14, 1757. L.1. Wife: Mary. Children: Priscillah, Mary and Dorothy. Brother: Edward. Nephew: Morgan Morgan. Cousins: Owen Hughes, Isaac Hughes, William Morris. Uncles: Benjamin and Edward Hughes. Trustees: Edward Hughes, Edward Morgan, William Morris. Exec: Mary Morgan. Wit: Margaret Morgan (her mark), Ludwick Cook. Ron [email protected]

Wills: Abstracts, Book J: 1748 - 1752: Philadelphia Co, PA http://ftp.rootsweb.com/pub/usgenweb/pa/philadelphia/wills/willabstrbkj.txt NOTE: Dates are will 'written' and will 'proved'. SADLER, CONRAD. Exeter, Co. of Philadelphia. January 7, 1748/9. February 3, 1748. J.56. Wife: Mary. Children: Philip and others. Exec: Mary Sadler, Robert Partison. Wit: William BOONE, Michael Waren, George Lotz. COLES, DANIEL. Exeter, Co. of Philadelphia. November 6, 1749/50. January 5, 1749. J.208. Wife: Dinah. Children: Solomon, Mary and Deborah. Brothers-in-Law and Exec: John Hughes, William BOONE Wit: Josiah BOONE, George Moore (his mark), Thomas Embree. Wills: Abstracts, Book K: 1752 - 1757: Philadelphia Co, PA http://ftp.rootsweb.com/pub/usgenweb/pa/philadelphia/wills/willabstrbkk.txt BOONE, JANE. City of Philadelphia. Innholder. December 15, 1750. December 28, 1752. K.29. Children: William and Elizabeth (Turner). Sisters: Mary Pearce and Catherine Adams. Exec: Thomas Say. Wit: Edward Drinker, Alexander Crukshank, Abraham Bickley. Ron [email protected]

Roger Boone Holmes died in Butte, Montana on Friday, May 4, following a long battle with cancer. He was born in Butte on June 25, 1929 to Keith Debolt Holmes and Margaret Alice McRobert. His great-great grandparents, Thompson and Lucy Kemper, were among Butte's earliest settlers. He was a direct descendant of pioneer Daniel Boone through his daughter, Rebecca Goe. Roger attended Whittier Grade School and graduated from Butte High School in 1947. On September 4, 1948, he married his beloved wife, Edna Marie Fuller. She preceded him in death in 1995. Roger was employed by the Anaconda Company as a miner, truck driver, and draftsman, before going to work for the Montana Bureau of Mines and Geology at Montana Tech in 1959. He was cartographic supervisor there until his retirement in 1992. Besides his family, Roger's great love was automobiles. He remember every car he ever owned-and there were hundreds-in vivid detail. As a young man, he raced stock cars at Butana Speedway. In retirement he took up drag racing and enjoyed many dusty Sundays at Lost Creek Raceway. He is survived by his three children and their spouses, Linda Lee Holmes, Mike and Tracy Holmes, Ed and Frances Holmes; and six grandchildren, Mike, Andrew, Ashley, Courtney, and Eddy Holmes, and Patrick Kueffler. He is also survived by his brother and sister-in-law, Keith and Mary Lou Holmes; stepsister and husband, Stephany and Jack Lowry; and niece and nephews Laurie Mohney and Richard and Dale Holmes.

FRANKLIN COUNTY, NC - CENSUS - 1800 Census Extract http://ftp.rootsweb.com/pub/usgenweb/nc/franklin/census/1800.txt [transcribed by Mark A. Murphy, 4 May 2001] [head; FWM<10/ FWM10-15/ FWM16-25/ FWM26-45/ FWM46+; FWF<10/FWF10-15/FWF16-25/FWF26-45/FWF46+; Slaves] Page 33: Willis BOON 0-0-0-1-0; 0-0-0-1-0; 0 Rebeca BOON 1-2-0-0-0; 3-2-0-0-1; 4 There are only five pages (1, 20, 32, 33, 42) of this census online at this URL; there might have been other BOONs, but not listed. A note at the top says: "Schedule of the whole number of persons within the division allotted to William Ransom." Ron [email protected]

Art, I have lost your addy. Please send me a note. Lou Ann

What's up with the BOONE-L list? It's sending out some weird stuff....

unsubscribe

--12460510.989553642710.JavaMail.imail.scorch.excite.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ --12460510.989553642710.JavaMail.imail.scorch.excite.com Content-Type: message/rfc822; name="mail failed, returning to sender" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="mail failed, returning to sender" Return-Path: <> Received: from mx8.airmail.net ([209.196.77.105]) by congo.excite.com (InterMail vM.4.01.02.00 201-229-116) with ESMTP id <[email protected]> for <[email protected]>; Thu, 10 May 2001 20:41:41 -0700 Received: from mail2.iadfw.net ([206.66.12.234]) by mx8.airmail.net with smtp (Exim 3.16 #10) id 14y3pU-0002RL-00 for [email protected]; Thu, 10 May 2001 22:43:00 -0500 Received: from mail2.iadfw.net by mail2.iadfw.net (/\##/\ Smail3.1.30.16 #30.50) with bsmtp for <[email protected]> sender: <MAILER-DAEMON> id <my/[email protected]>; Thu, 10 May 2001 22:41:59 -0500 (CDT) Message-Id: <my/[email protected]> Date: Thu, 10 May 2001 22:41:59 -0500 (CDT) From: <[email protected]> To: [email protected] Subject: mail failed, returning to sender Reference: <mP/[email protected]> |------------------------- Message log follows: -------------------------| no valid recipients were found for this message |------------------------- Failed addresses follow: ---------------------| <[email protected]> ... unknown user |------------------------- Message text follows: ------------------------| Received: from mx5.airmail.net from [209.196.77.102] by mail2.iadfw.net (/\##/\ Smail3.1.30.16 #30.50) with esmtp sender: <[email protected]> id <mP/[email protected]>; Thu, 10 May 2001 22:41:53 -0500 (CDT) Received: from kuku-rwcmta.excite.com ([198.3.99.63] helo=kuku.excite.com) by mx5.airmail.net with esmtp (Exim 3.16 #10) id 14y3oM-0001xi-00 for [email protected]; Thu, 10 May 2001 22:41:50 -0500 Received: from scorch.excite.com ([199.172.152.240]) by kuku.excite.com (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <[email protected]> for <[email protected]>; Thu, 10 May 2001 20:41:03 -0700 Message-ID: <[email protected]> Date: Thu, 10 May 2001 20:41:03 -0700 (PDT) From: rose livers <[email protected]> To: [email protected] Subject: Related to Daniel Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Excite Inbox X-Sender-Ip: 63.69.150.167 Hi Becky, I read your querry on GenForum. I am also related to Daniel Boone. My line is from Edward (his brother) to George, to Levi, to Isaac, to Joe W

This is a message for Ron Boone or any-one who has connections to William Patterson. The abstract of the Will of William posted on rootsweb, mentions a son, John in Damarara. And a daughter Elizabeth of said John. Does any-one have any info. on Elizabeth, or her mother, and what became of John of Damerara, did he have more children? and with whom? were any of these born in Damarara? PS. Damarara is really Demerara, in British Guiana, (now Guyana) South America.

--WebTV-Mail-19445-464 Content-Type: Text/Plain; Charset=US-ASCII Content-Transfer-Encoding: 7Bit --WebTV-Mail-19445-464 Content-Disposition: Inline Content-Type: Message/RFC822 Content-Transfer-Encoding: 7Bit Received: from smtpin-101-11.bryant.webtv.net (209.240.198.179) by storefull-107.iap.bryant.webtv.net with WTV-SMTP; Tue, 8 May 2001 15:11:14 -0700 (PDT) Received: by smtpin-101-11.bryant.webtv.net (WebTV_Postfix+sws) id A2B89138; Tue, 8 May 2001 15:11:17 -0700 (PDT) Delivered-To: [email protected] Received: from web4107.mail.yahoo.com (web4107.mail.yahoo.com [216.115.104.127]) by smtpin-101-11.bryant.webtv.net (WebTV_Postfix+sws) with SMTP id 51252146 for <[email protected]>; Tue, 8 May 2001 15:11:17 -0700 (PDT) Message-ID: <[email protected]> Received: from [208.15.165.64] by web4107.mail.yahoo.com; Tue, 08 May 2001 15:11:17 PDT Date: Tue, 8 May 2001 15:11:17 -0700 (PDT) From: lena Marie <[email protected]> Subject: Re: [BOONE-L] John and William Boone To: [email protected] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Lois Dawson" <[email protected]> Reply-to: [email protected] Date: Sat, 5 May 2001 23:50:23 -0400 Subject: [BOONE-L] John and William Boone To: [email protected] Hi, I'm looking for information on John Boone, father of William Albert Boone, who married Myrtle viola [Gies] Jones. Johns wife may have been Maude Tate Boone? If anyone has this information I'd really appreciate hearing from them. Lois Dawson > > Lois, I have: John Boone born 8-5-1829 John Boone born 01-10-1798 married Sarah Pierson in N.C.; moved to Indiana in 1818. 10 children..... one is William (unknown middle name) born 8-23-1817 married Sarah Beeks. If these dates fit, I have more info. Marie __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ --WebTV-Mail-19445-464--

This was posted on the PAWASHIN-L........Maybe this will be of some interest to Boon/Boone cousins. Tuesday, May 8, 2001 "Observer-Reporter" Online, Washington, PA.           Monumental honor BY KATHIE O. WARCO THE OBSERVER-REPORTER [email protected] Thomas Seybert knew from the stories told by his mother that a member of his family had received the Medal of Honor, the nation's highest military honor. It wasn't until a few weeks ago, though, that the Washington man learned that relatives of U.S. Army Capt. Hugh Patterson Boon were being sought by organizers of a monument project to honor medal winners born in Washington County. Boon fought in the Civil War as a member of Company B, 1st West Virginia Cavalry. He received the medal for capturing the Confederate flag at Deatonsville (Sailor's Creek) in Virginia on April 6, 1865. He died Jan. 14, 1908, and is buried in Washington Cemetery. Having difficulty tracking down descendants of Boon, Edward Snarey, chairman of the project, went to a meeting at American Legion Post 175, Washington, to seek members' help. Snarey's co-chairman, Charles Pollacci, died in April, which also hampered efforts to find family members. Seybert, a member of the Legion, missed that meeting and didn't hear about the search until minutes were read at the following meeting. "My grandfather was E.T. Boone, and his father was James Milhollan Boone Jr.," Seybert said. "Hugh Boon was my great-grandfather's brother." Seybert said he remembered his mother talking about Hugh Boon winning the award. "So when the name was mentioned in the minutes, an antenna went up," Seybert said. Boon is the seventh and last of the Washington County medal winners to be recognized. Snarey organized the effort to place a monument at the entrance to the cemeteries in Washington County where Medal of Honor winners are buried. Part of the problem in tracking down relatives was the change in the spelling of "Boon," Snarey said. Seybert's relatives, doing genealogical research, learned the "e" had been added to the family name about 1900. Seybert has been on a mission of his own in the last week, trying to find direct descendants of Boon who may live in Iowa. His mother kept in touch with relatives Loftus and Carolyn Fox, who lived Sharon, Iowa, which has a population of about 1,300. "They had Hugh Boon's flag and uniform," Seybert said. "If they have that, I am thinking they might be direct descendants." Seybert said his research determined that Carolyn Fox died in 1994. He has no information on Loftus Fox. Hugh Boon did have a daughter, Mattie, who married J. Wilbert Wallace of the Dunbar and Wallace Lumber Co. in Washington. Seybert said she had at least one child. "But I'd like to find out if Carolyn and Loftus had children," Seybert said. "They may be interested in what's going on Saturday." "This whole thing has set off a real hullabaloo," Seybert said, with a chuckle. A monument honoring Boon will be unveiled in a ceremony at 11 a.m. Saturday at the entrance to Washington Cemetery off Park Avenue in North Franklin Township. Seybert and several other of Boon's descendants will participate in the unveiling.

Removal technique described at end. Hope this helps.....I am Macintosh based, and run Norton Anti Virus every two days for protection... Daniel Boone Bostdorf The info: THE VIRUS KNOWN AS "SNOW WHITE AND THE SEVEN DWARFS" Real name:W95.Hybris.gen Discovered on: September 25, 2000 W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages. The email message or subject may include, but is not limited to: [email protected] Snow White and the Seven dwarves The attachment may have one of several different names, including, but not limited to: anpo porn(.scr atchim.exe branca de neve.scr dunga.scr dwarf4you.exe enano porno.exe joke.exe midgets.scr sexy virgin.scr Also Known As: W32.Hybris.gen, W32.Hybris.22528.dr, W32/[email protected], I-Worm.Hybris Category: Worm Virus Definitions: September 25, 2000 Threat Assessment: Wild:High Damage:Low Distribution: High Wild: Number of infections: 50 - 999 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Distribution: Name of attachment: Random with EXE or SCR file name extension Technical description: When the worm attachment is executed, the Wsock32.dll file is modified or replaced. Once the worm has infected wsock32.dll, it has the abilty to monitor the Internet connection as well as incoming and outgoing email traffic. The worm then scans for email addresses. When an email address is detected whether on an Internet site or in email being sent or received, the worm waits for a period of time and then sends an infected message to the detected address. The worm attempts to connect to the alt.comp.virus newsgroup. If it connects successfully, then the worm uploads its own plug-ins to this newsgroup in an encrypted form. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if the plug-ins are present. If newer versions of the plug-ins are found, the worm downloads them and updates its behavior. One of the plug-ins for W95.Hybris.gen generates a spiral image. Upon execution, the plug-in initially loads OpenGL libraries which are used to draw a large black and white spiral image. It also registers itself as a service; this prevents it from being displayed in the Close Programs dialog box. For additional information on this, see the document W95.Hybris.Plugin. This worm also has a plug-in that infects executable programs. The DOS EXE infection is fairly simple dropping technique. The virus code is appended to the end of the file with a small 16-bit dropper routine. This routine creates a temporary file with an .exe extension in the TEMP folder and executes it. It then deletes the temporary executable. In this way, Wsock32.dll is infected with the actual worm body. The PE executables have a much more complicated file infection process. PE files become infected only if they have a long enough code section. The virus infection plug-in packs the original code area and overwrites it if it will fit in the same place. This complicated antiheuristic infection technique is difficult but possible to repair. If Wsock32.dll is being used by the system, the worm cannot modify it. In this situation, the worm will add a registry entry to one of the following subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce It always alternates between these two keys as the worm spreads from one computer to another. The worm hooks onto the following exports of Wsock32.dll: send() recv() connect() Whenever you send email, the worm sends a second message to the same person, attaching a copy of itself using a randomly generated file name. Removal instructions: To remove the W95.Hybris.gen worm, follow these steps: 1. Run LiveUpdate to ensure that you have the most recent virus definitions. They must be dated September 25, 2000, or later. 2. Start NAV, and perform a full system scan. Make sure that NAV is set to scan all files. When an infected file is detected, do the following: When Wsock32.dll is detected as infected, choose Repair. In most cases, NAV can repair this file. If NAV cannot repair the file, then you will need to replace it from the Windows installation CD. If you need to replace this file, see the instructions in the next section. NOTE: If NAV cannot repair Wsock32.dll when Windows is in normal mode, then try to repair it in Safe Mode. This is particularly true if you are connected to a network; in this case you may see a "sharing violation" message when NAV attempts the repair. To try this, restart the computer in Safe Mode. If this is not successful, then you must extract a new copy as explained in the next section. Delete all other detected files; their contents have been overwritten by the worm. You must restore them from backups or, in the case of application software, reinstall the programs. 3. If you see a rotating spiral on the Windows desktop, you must follow additional steps to remove it. See the section To remove the rotating spiral. To extract a new copy of the Wsock32.dll file: This is necessary only if Wsock32.dll cannot be repaired. You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system. NOTES: Have the Windows installation CD available. When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder. For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605. As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation. 1. Do one of the following: Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window appears. Windows Me users: Click Start, point to Programs, point to Accessories, and click MS-DOS Prompt. A DOS window appears. 2. Type the command that applies to your operating system: If you are using Windows 98, then type the following and press Enter: extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system If you are using Windows 95, then type the following and press Enter: extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system 3. If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter. To remove the rotating spiral: W95.Hybris.Gen uses several different plug-ins. The most common is a large, rotating spiral. If you see this on the Windows desktop, follow the instructions in the document W95.Hybris.Plugin.

Removal technique described at end. Hope this helps Daniel Boone Bostdorf The info: THE VIRUS KNOWN AS "SNOW WHITE AND THE SEVEN DWARFS" Real name:W95.Hybris.gen Discovered on: September 25, 2000 W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages. The email message or subject may include, but is not limited to: [email protected] Snow White and the Seven dwarves The attachment may have one of several different names, including, but not limited to: anpo porn(.scr atchim.exe branca de neve.scr dunga.scr dwarf4you.exe enano porno.exe joke.exe midgets.scr sexy virgin.scr Also Known As: W32.Hybris.gen, W32.Hybris.22528.dr, W32/[email protected], I-Worm.Hybris Category: Worm Virus Definitions: September 25, 2000 Threat Assessment: Wild:High Damage:Low Distribution: High Wild: Number of infections: 50 - 999 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Distribution: Name of attachment: Random with EXE or SCR file name extension Technical description: When the worm attachment is executed, the Wsock32.dll file is modified or replaced. Once the worm has infected wsock32.dll, it has the abilty to monitor the Internet connection as well as incoming and outgoing email traffic. The worm then scans for email addresses. When an email address is detected whether on an Internet site or in email being sent or received, the worm waits for a period of time and then sends an infected message to the detected address. The worm attempts to connect to the alt.comp.virus newsgroup. If it connects successfully, then the worm uploads its own plug-ins to this newsgroup in an encrypted form. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if the plug-ins are present. If newer versions of the plug-ins are found, the worm downloads them and updates its behavior. One of the plug-ins for W95.Hybris.gen generates a spiral image. Upon execution, the plug-in initially loads OpenGL libraries which are used to draw a large black and white spiral image. It also registers itself as a service; this prevents it from being displayed in the Close Programs dialog box. For additional information on this, see the document W95.Hybris.Plugin. This worm also has a plug-in that infects executable programs. The DOS EXE infection is fairly simple dropping technique. The virus code is appended to the end of the file with a small 16-bit dropper routine. This routine creates a temporary file with an .exe extension in the TEMP folder and executes it. It then deletes the temporary executable. In this way, Wsock32.dll is infected with the actual worm body. The PE executables have a much more complicated file infection process. PE files become infected only if they have a long enough code section. The virus infection plug-in packs the original code area and overwrites it if it will fit in the same place. This complicated antiheuristic infection technique is difficult but possible to repair. If Wsock32.dll is being used by the system, the worm cannot modify it. In this situation, the worm will add a registry entry to one of the following subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce It always alternates between these two keys as the worm spreads from one computer to another. The worm hooks onto the following exports of Wsock32.dll: send() recv() connect() Whenever you send email, the worm sends a second message to the same person, attaching a copy of itself using a randomly generated file name. Removal instructions: To remove the W95.Hybris.gen worm, follow these steps: 1. Run LiveUpdate to ensure that you have the most recent virus definitions. They must be dated September 25, 2000, or later. 2. Start NAV, and perform a full system scan. Make sure that NAV is set to scan all files. When an infected file is detected, do the following: When Wsock32.dll is detected as infected, choose Repair. In most cases, NAV can repair this file. If NAV cannot repair the file, then you will need to replace it from the Windows installation CD. If you need to replace this file, see the instructions in the next section. NOTE: If NAV cannot repair Wsock32.dll when Windows is in normal mode, then try to repair it in Safe Mode. This is particularly true if you are connected to a network; in this case you may see a "sharing violation" message when NAV attempts the repair. To try this, restart the computer in Safe Mode. If this is not successful, then you must extract a new copy as explained in the next section. Delete all other detected files; their contents have been overwritten by the worm. You must restore them from backups or, in the case of application software, reinstall the programs. 3. If you see a rotating spiral on the Windows desktop, you must follow additional steps to remove it. See the section To remove the rotating spiral. To extract a new copy of the Wsock32.dll file: This is necessary only if Wsock32.dll cannot be repaired. You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system. NOTES: Have the Windows installation CD available. When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder. For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605. As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation. 1. Do one of the following: Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window appears. Windows Me users: Click Start, point to Programs, point to Accessories, and click MS-DOS Prompt. A DOS window appears. 2. Type the command that applies to your operating system: If you are using Windows 98, then type the following and press Enter: extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system If you are using Windows 95, then type the following and press Enter: extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system 3. If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter. To remove the rotating spiral: W95.Hybris.Gen uses several different plug-ins. The most common is a large, rotating spiral. If you see this on the Windows desktop, follow the instructions in the document W95.Hybris.Plugin.