RE: W32/Hybris.gen@MM Virus Alert

From: Rocky Gregory (rocky@private)
Date: Sat Sep 29 2001 - 12:48:49 PDT

  • Next message: George Heuston: "Semper Paratis"

    I got this from a Fox Internet relay on Friday as well.  I /seems/ to be
    unchanged since the first outbreak.
    
    -----Original Message-----
    From: owner-crime@/var/spool/majordomo/lists/crime
    [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of
    Jeffrey_Korte/HR/FCNB/Spgla@private
    Sent: Friday, September 28, 2001 12:16 PM
    To: crime@private
    Subject: W32/Hybris.gen@MM Virus Alert
    
    
    As an FYI, we successfully intercepted and detained the W32/Hybris.gen@MM
    virus, which is apparently still alive and well.  Below is a read on it.
    More details can be obtained at:
    http://vil.nai.com/vil/virusSummary.asp?virus_k=98873
    
    From: Hahaha [hahaha@private]
    Subject: Snowhite and the Seven Dwarfs - The REAL story!
    Body:  Today,  Snowhite  was  turning  18.  The  7 Dwarfs always where very
    educated  and  polite with Snowhite. When they go out work at mornign, they
    promissed  a  *huge*  surprise.  Snowhite was anxious. Suddlently, the door
    open, and the Seven Dwarfs enter...
    
    Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe
    
    When  first executed, this worm tries to infect the WSOCK32.DLL file in the
    WINDOWS\SYSTEM  directory.  First  it  tries to infect the WSOCK32.DLL file
    directly.  If  it fails because the file is already in use, then it creates
    an infected copy on the WSOCK32.DLL in a new file. This new file goes by an
    extensionless  filename  made  up  of  8  random characters. A line is then
    created  in  the  WININIT.INI  file  to  rename  this newly created file to
    WSOCK32.DLL,  thus  overwriting  the original WSOCK32.DLL file. This change
    takes  place  the  next  time  the system is booted. A registry value under
    Software\Microsoft\Windows\CurrentVersion\RunOnce\(default) is also created
    to run the worm at the next bootup, in case the previous attempts to infect
    WSOCK32.DLL fail.
    
    The modified WSOCK32.DLL file watches all Internet activity and attempts to
    mail  a  copy of the worm, in the form of a .EXE or .SCR file, to any valid
    e-mail  address sent over the Internet connection, whether part of a e-mail
    message, web page, or newsgroup posting. AVERT cautions all users to delete
    unexpected   attachments.  W32/Hybris.gen@M  is  sent  unknowingly  by  the
    infected user.
    
    This  Internet  worm originally downloaded encrypted update components from
    an  Internet  web  site, similar to the method first used by W95/Babylonia,
    but the site hosting the virus was taken down. The original plugins were:
    
    HTTP.DAT
    NEWS.DAT
    ENCR.DAT
    PR0N.DAT
    SPIRALE.DAT
    SUB7.DAT
    DOSEXE.DAT
    AVINET.DAT
    
    Currently  this  virus  downloads  plugins  from  alt.comp.virus. The virus
    contains  an  internal  list  of  several  news  servers  it can access. It
    searches  the  newsgroup for any plugins that it doesn't have, or has older
    versions  of.  Since  the  worm  searches  all Internet activity for e-mail
    addresses,  people  who  post  to  alt.comp.virus  using  their real e-mail
    address may get many copies of the worm when Hybris searches alt.comp.virus
    for new plugins.
    
    When  a  full  moon  occurs according to the computer's internal clock, the
    virus  will  randomly  post its plugins to the alt.comp.virus newsgroup. It
    uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins with a fake
    return address of root@private
    This Internet worm contains the text:
    HYBRIS
    (c) Vecna
    
    http://vil.nai.com/vil/virusSummary.asp?virus_k=98873
    
    (c) 2000 Network Associates.  All Rights Reserved.
    
    Jeffrey B. Korte,
    Information and Physical Security Manager
    FirstConsumers National Bank
    Voice: 503.520.8398
    Fax: 503.520.7941
    Pager: 503.921.3105
    
    The information contained in this E-mail message may be privileged,
    confidential and protected from disclosure.  If you are not the intended
    recipient, any dissemination, distribution or copying is strictly
    prohibited.  If you think you have received this E-mail message in error,
    please E-mail the sender at jeffrey_korte@private
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:26:46 PDT