TECHNET Archives

December 2000

TechNet@IPC.ORG
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Someone sent me a virus..but I'm not infected.
From:
"Stephen R. Gregory" <[log in to unmask]>
Reply To:
TechNet E-Mail Forum.
Date:
Thu, 28 Dec 2000 14:06:31 EST
Content-Type:
text/plain
Parts/Attachments:
text/plain (100 lines) 
Hey all,

I opened my email today and found I had two emails from someone called 
[log in to unmask] and they both had attachments to them. Being the curious 
sort that I am, I opened one email and saw that it was in spanish...the 
attachment was in spanish as well. 

The attachment file name was enano porno.exe. Being the paranoid sort, I 
didn't open the attachment but checked at symatec's web page and found that 
the attachment was a VERY nasty worm called HYBRIS...

The reason that I'm posting about this is that there could be somebody on the 
list that is infected with HYBRIS and doesn't know it. Like most worms, the 
virus will send emails out to everybody in your address book, and the virus 
has the uncanny ability to change the return email address to something that 
doesn't exist, and also change the way it behaves by updating itself with 
downloads from the internet.

I looked at the email headers on the email that was sent to me, and it 
originated from someone that has jmolina in their email address, I don't know 
if there is a J Molina on this list or not.

There is a web page at http://www.sexyfun.net, and it was created on December 
11, 2000 in response to this virus. There's some good information there...

I've also pasted a write-up about this virus from Kaspersky Labs...this be 
one nasty virus.

-Steve Gregory-

Hybris: The Story Continues...New dangerous versions of the virus have been 
detected "in the wild"

November 13, 2000 – Kaspersky Lab, an international data-security 
software-development company, warns users of the discovery of Hybris, a new 
Internet-worm. Kaspersky Lab has been receiving reports of the discovery of 
this virus "in the wild" worldwide, being particularly active in Latin 
America although infections by this virus have also been found in Europe.

The first version of this Internet worm was discovered by Kaspersky Lab and 
several other anti-virus software developers at the end of September and was 
classified as a low risk malicious program. However, within the last few 
days, the company has been inundated by reports from users whose computers 
have been infected by this virus. At this moment, Kaspersky Lab has 
discovered five versions of Hybris, and it is expected that new variations 
will be found in the near future.

The Internet worm Hybris spreads by attaching itself to infected e-mails and 
works only under MS Windows. When the recipient executes the attached file, 
Hybris infects the host PC. The procedure for infection is typical for this 
type of malicious program and is performed in a similar way to the Happy or 
MTX viruses.

To proliferate, the worm infects the WSOCK32.DLL library and also intercepts 
the Windows function that establishes the network connection; it then scans 
sent and received data for any e-mail addresses, and sends copies of itself 
to these e-mail addresses. Subject, text and name of the attached file are 
chosen randomly, for example:

From: Hahaha [log in to unmask]
Subject: Snowhite and the seven Dwarfs - The REAL Story!
Attachment: dwarf4you.exe 
In addition, this worm has some specific features. Hybris contains several 
(up to 32) components (plugins) in its code and executes them depending on 
its needs. The worm’s functionality is mostly defined by the plugins. They 
are stored in the body of the worm and are encrypted by a very strong crypto 
algorithm.

However, the main peculiarity is that Hybris maintains the functionality of 
the plugins: it sends its own components to the anti-virus conference 
"alt.comp.virus" and downloads from there any upgraded or missing plugins. 
The virus components can also be updated by the worm from the author’s Web 
page, via the Internet. So far, plugins found in the known versions of this 
virus and those at the Web site are fairly harmless and do not cause any 
direct damage. But, the fact that they can be updated means that they may be 
given completely different functions, for example, installing a Trojan horse 
backdoor. Although there have previously been some cases when a malicious 
program has been updated from the Internet, this is the first time it has 
occurred on this scale "in the wild."

"What we have here is perhaps the most complex and refined malicious code in 
the history of virus writing," comments Eugene Kaspersky, Head of Company 
Anti-Virus Research Center. "Firstly, it is defined by an extremely complex 
style of programming. Secondly, all the plugins are encrypted with very 
strong RSA 128-bit crypto-algorithm key. Thirdly, the components themselves 
give the virus writer the possibility to modify his creation "in real time," 
and in fact allow him to control infected computers worldwide."

 

---------------------------------------------------------------------------------
Technet Mail List provided as a free service by IPC using LISTSERV 1.8d
To unsubscribe, send a message to [log in to unmask] with following text in
the BODY (NOT the subject field): SIGNOFF Technet
To temporarily halt delivery of Technet send the following message: SET Technet NOMAIL
Search previous postings at: www.ipc.org > On-Line Resources & Databases > E-mail Archives
Please visit IPC web site (http://www.ipc.org/html/forum.htm) for additional
information, or contact Keach Sasamori at [log in to unmask] or 847-509-9700 ext.5315
---------------------------------------------------------------------------------

ATOM RSS1 RSS2