I got this from a Fox Internet relay on Friday as well. I /seems/ to be unchanged since the first outbreak. -----Original Message----- From: owner-crime@/var/spool/majordomo/lists/crime [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Jeffrey_Korte/HR/FCNB/Spgla@private Sent: Friday, September 28, 2001 12:16 PM To: crime@private Subject: W32/Hybris.gen@MM Virus Alert As an FYI, we successfully intercepted and detained the W32/Hybris.gen@MM virus, which is apparently still alive and well. Below is a read on it. More details can be obtained at: http://vil.nai.com/vil/virusSummary.asp?virus_k=98873 From: Hahaha [hahaha@private] Subject: Snowhite and the Seven Dwarfs - The REAL story! Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe When first executed, this worm tries to infect the WSOCK32.DLL file in the WINDOWS\SYSTEM directory. First it tries to infect the WSOCK32.DLL file directly. If it fails because the file is already in use, then it creates an infected copy on the WSOCK32.DLL in a new file. This new file goes by an extensionless filename made up of 8 random characters. A line is then created in the WININIT.INI file to rename this newly created file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system is booted. A registry value under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default) is also created to run the worm at the next bootup, in case the previous attempts to infect WSOCK32.DLL fail. The modified WSOCK32.DLL file watches all Internet activity and attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to any valid e-mail address sent over the Internet connection, whether part of a e-mail message, web page, or newsgroup posting. AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user. This Internet worm originally downloaded encrypted update components from an Internet web site, similar to the method first used by W95/Babylonia, but the site hosting the virus was taken down. The original plugins were: HTTP.DAT NEWS.DAT ENCR.DAT PR0N.DAT SPIRALE.DAT SUB7.DAT DOSEXE.DAT AVINET.DAT Currently this virus downloads plugins from alt.comp.virus. The virus contains an internal list of several news servers it can access. It searches the newsgroup for any plugins that it doesn't have, or has older versions of. Since the worm searches all Internet activity for e-mail addresses, people who post to alt.comp.virus using their real e-mail address may get many copies of the worm when Hybris searches alt.comp.virus for new plugins. When a full moon occurs according to the computer's internal clock, the virus will randomly post its plugins to the alt.comp.virus newsgroup. It uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins with a fake return address of root@private This Internet worm contains the text: HYBRIS (c) Vecna http://vil.nai.com/vil/virusSummary.asp?virus_k=98873 (c) 2000 Network Associates. All Rights Reserved. Jeffrey B. Korte, Information and Physical Security Manager FirstConsumers National Bank Voice: 503.520.8398 Fax: 503.520.7941 Pager: 503.921.3105 The information contained in this E-mail message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this E-mail message in error, please E-mail the sender at jeffrey_korte@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:26:46 PDT