[meteorite-list] Virus

From: Rhett Bourland <rbourlan_at_meteoritecentral.com>
Date: Thu Apr 22 09:37:39 2004
Message-ID: <IOEBKAHMGFBDJMOFGDFNKEJFCDAA.rbourlan_at_evansville.net>

I got this forward from a friend and even though this seems to have cleared
itself up I thought you may still like to see it as its been a list topic in
the past.

Rhett Bourland
www.evansville.net/~rbourlan
November 14, 2000, revised December 18, 2000

Hybris (W32.Hybris) is a complex supervirus whose e-mail delivery system is
similar to Happy 99 and whose programming and payload are similar to MTX.
Although this worm has been known since September, reports of Hybris
infections are increasing worldwide. And while the worm currently contains a
relatively harmless payload, Hybris has the capability to upgrade itself via
the Internet and therefore could become dangerous. At least five distinct
variations of Hybris have been reported by anti-virus software companies so
far, with Hybris.D being the most common. Hybris has been upgraded to a 7 on
the ZDNet virus meter.

How It Works
Hybris arrives via e-mail with variable texts, depending on the components
installed. The following characteristics are the most common:

From: Hahaha hahaha_at_sexyfun.net

Subject: Snowhite and the seven Dwarfs - The REAL Story!

Body text: "Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at mornign (sic),
they promissed (sic) a *huge* surprise. Snowhite was anxious. Suddlently
(sic), the door open, and the Seven Dwarfs enter..."

Attachment: a variable file name ending with .exe or .scr, most commonly
dwarf4you.exe. Other attachments include:


anpo porn.scr
atchim.exe
branca de neve.scr
dunga.scr
enano porno.exe
joke.exe
midgets.scr
sexy virgin.scr
A user clicking on the above attachment will load the worm. Hybris scans the
system for e-mail addresses to send itself out over the Internet via e-mail.
Hybris also inflects WSOCK32.DLL, renaming it and redirecting Windows.INI to
point to the new, infected file. Thereafter, Hybris will send itself via
reply mail to whomever sends new e-mails to an infected computer. Hybris is
also savvy enough to establish its own Internet connections for the purpose
of upgrading itself. One method, connecting to a Web site presumably
belonging to the author, has been disabled. A second method, posting to the
usenet newsgroup alt.comp.virus, remains active. Hybris contains up to 32
components, and can execute or upgrade them as needed. At the moment, the
components sent with Hybris are relatively harmless, however, the potential
for new and more dangerous upgrades does exist.
Removal Instructions
Infected users should download the latest anti-virus signature files from
ZDNet's Updates.com. Afterward, users will still need to restore a copy of
WSOCK32.DLL, either from a clean backup or from the original Windows
installation disks.
Received on Sun 31 Dec 2000 07:40:08 AM PST