[meteorite-list] Virus
From: Rhett Bourland <rbourlan_at_meteoritecentral.com>
Date: Thu Apr 22 09:37:39 2004 Message-ID: <IOEBKAHMGFBDJMOFGDFNKEJFCDAA.rbourlan_at_evansville.net> I got this forward from a friend and even though this seems to have cleared itself up I thought you may still like to see it as its been a list topic in the past. Rhett Bourland www.evansville.net/~rbourlan November 14, 2000, revised December 18, 2000 Hybris (W32.Hybris) is a complex supervirus whose e-mail delivery system is similar to Happy 99 and whose programming and payload are similar to MTX. Although this worm has been known since September, reports of Hybris infections are increasing worldwide. And while the worm currently contains a relatively harmless payload, Hybris has the capability to upgrade itself via the Internet and therefore could become dangerous. At least five distinct variations of Hybris have been reported by anti-virus software companies so far, with Hybris.D being the most common. Hybris has been upgraded to a 7 on the ZDNet virus meter. How It Works Hybris arrives via e-mail with variable texts, depending on the components installed. The following characteristics are the most common: From: Hahaha hahaha_at_sexyfun.net Subject: Snowhite and the seven Dwarfs - The REAL Story! Body text: "Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign (sic), they promissed (sic) a *huge* surprise. Snowhite was anxious. Suddlently (sic), the door open, and the Seven Dwarfs enter..." Attachment: a variable file name ending with .exe or .scr, most commonly dwarf4you.exe. Other attachments include: anpo porn.scr atchim.exe branca de neve.scr dunga.scr enano porno.exe joke.exe midgets.scr sexy virgin.scr A user clicking on the above attachment will load the worm. Hybris scans the system for e-mail addresses to send itself out over the Internet via e-mail. Hybris also inflects WSOCK32.DLL, renaming it and redirecting Windows.INI to point to the new, infected file. Thereafter, Hybris will send itself via reply mail to whomever sends new e-mails to an infected computer. Hybris is also savvy enough to establish its own Internet connections for the purpose of upgrading itself. One method, connecting to a Web site presumably belonging to the author, has been disabled. A second method, posting to the usenet newsgroup alt.comp.virus, remains active. Hybris contains up to 32 components, and can execute or upgrade them as needed. At the moment, the components sent with Hybris are relatively harmless, however, the potential for new and more dangerous upgrades does exist. Removal Instructions Infected users should download the latest anti-virus signature files from ZDNet's Updates.com. Afterward, users will still need to restore a copy of WSOCK32.DLL, either from a clean backup or from the original Windows installation disks. Received on Sun 31 Dec 2000 07:40:08 AM PST |
![]() ![]() ![]() ![]() |