Virus
Characteristics
This worm will be received in an email message
which may contain the following information:
From: Hahaha [[EMAIL PROTECTED]]
Subject: Snowhite
and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was
turning 18. The 7 Dwarfs always where very educated and polite with
Snowhite. When they go out work at mornign, they promissed a *huge*
surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr or
dwarf4you.exe
When first executed, this worm tries to infect the WSOCK32.DLL file in
the WINDOWS\SYSTEM directory. First it tries to infect the WSOCK32.DLL
file directly. If it fails because the file is already in use, then it
creates an infected copy on the WSOCK32.DLL in a new file. This new file
goes by an extensionless filename made up of 8 random characters. A line
is then created in the WININIT.INI file to rename this newly created file
to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This
change takes place the next time the system is booted. A registry value
under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default) is also
created to run the worm at the next bootup, in case the previous attempts
to infect WSOCK32.DLL fail.
The modified WSOCK32.DLL file watches all Internet activity and
attempts to mail a copy of the worm, in the form of a .EXE or .SCR file,
to any valid e-mail address sent over the Internet connection, whether
part of a e-mail message, web page, or newsgroup posting. AVERT cautions
all users to delete unexpected attachments. W32/Hybris.gen@M is sent
unknowingly by the infected user.
This Internet worm originally downloaded encrypted update components
from an Internet web site, similar to the method first used by
W95/Babylonia, but the site hosting the virus was taken down. The original
plugins were:
HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
Currently this virus downloads plugins from alt.comp.virus. The
virus contains an internal list of several news servers it can access. It
searches the newsgroup for any plugins that it doesn't have, or has older
versions of. Since the worm searches all Internet activity for e-mail
addresses, people who post to alt.comp.virus using their real e-mail
address may get many copies of the worm when Hybris searches
alt.comp.virus for new plugins.
When a full moon occurs according to the computer's internal clock, the
virus will randomly post its plugins to the alt.comp.virus newsgroup. It
uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins with a
fake return address of [EMAIL PROTECTED]
This Internet worm contains the text:
HYBRIS
(c) Vecna
