From: C y b e r T e c h @ L i s t s . E x M a c h i n a . n e t
<http://www.cybercafe21.net> & <http://www.cybercafe21.tv>
"Hugues.d" wrote:
> From: C y b e r T e c h @ L i s t s . E x M a c h i n a . n e t
> <http://www.cybercafe21.net> & <http://www.cybercafe21.tv>
>
> Hello
> Qui en veux ?
> Son nom: sexynain.scr
> Je suppose que c'est un virus, sans en avoir aucune certitude.
> Il m'a été envoyé le 24/1/2001, à mon adresse personnelle (pas par
> l'intermédiaire d'une ML), par par <[EMAIL PROTECTED]> (Received: from
> nas4-93.wnt.club-internet.fr(213.44.163.93), claiming to be "lifebook" )
>
> Voici le texte l'accompagnant:
> >"C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui
> >avaient
> >aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez
> >sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme
> >toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air
> >coquin... "
>
> Bref, ce n'est peut-être qu' un fond d'écran porno, mais je voudrais en
> être sur.
> En effet, je n'ai trouvé (sur mes HD) aucun programme capable de l'ouvrir
> en temps qu'image.
> Je n'ai pu trouver dans ce fichier que ceci de "significatif" (pour moi):
> Win NT/Current version/Winlogon et GetModuleHandle Kernel32.dll
>
> A qui puis-je envoyer le fichier zippé (18Kb) pour s'en assurer ?
>
> Hugues.D
> -----------------------------------------------
> Mailto:[EMAIL PROTECTED]
>
> Des Cadeaux, des avantages et des offres qui vous interessent ?
> http://www.justforyou.be... what you want is what you get !
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> CCTK vous est offert par Ex Machina <http://www.exmachina.net>
> Pour vous desabonner <mailto:[EMAIL PROTECTED]>
On en a parlé il y a 1 mois, c'est bien un virus genre I love you (envoie aux
personens dans ton carnet personnel outlook et bidouille ton pc). Il s'agit de
Hybris
http://www.europe.f-secure.com/v-descs/hybris.shtml
F-Secure Virus Descriptions
NAME:
Hybris
ALIAS:
IWorm_Hybris, I-Worm.Hybris
Hybris is an Internet worm that spreads itself as an
attachment to email messages. The worm works under
Win32 systems only. The worm
contains components (plugins) in its code that are
executed depending on what worm
needs, and these components can be upgraded from an
Internet Web site. The major
worm versions are encrypted with semi-polymorphic
encryption loop.
The worm contains the following encrypted text
strings:
HYBRIS
(c) Vecna
The main worm's target on computes it tries to infect
is the WSOCK32.DLL library.
While infecting this DLL the worm:
- writes itself to the end of last file section -
hooks "connect", "recv", "send" functions -
modifies DLL entry routine address (a routine that is
activated
when DLL file is being loaded) and encrypts original
entry
routine
If the worm is not able to infect WSOCK32.DLL at its
startup (in case it is in use and is
locked for writing) the worm creates a copy of this
library (a copy of WSOCK32.DLL with
random name), infects it and writes "rename"
instruction to WININIT.INI file. As a result
WSOCK32.DLL will be replaced with an infected one on
next Windows startup.
The worm also creates its copy with random name in
Windows system directory and
registers it in RunOnce registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
{Default} = %WinSystem%\WormName
or
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
{Default} = %WinSystem%\WormName
where %WinSystem% is Windows system directory, and
"WormName" is random
name, for example:
CCMBOIFM.EXE
LPHBNGAE.EXE
LFPCMOIF.EXE
There is only one possible reason to register
additional worm copy in "RunOnce"
registry key: in case WSOCK32.DLL was not infected on
first worm run, and its infected
copy was not created because of some reason, the
"RunOnce" worm copy will
complete the task on next Windows restart.
Being active the worm intercepts Windows function that
establish a network connection,
including Internet. The worm intercepts data that is
sent and received, and scans it for
email addresses. When address(es) is detected, the
worm waits for some time and then
sends an infected message to that address(es).
The worm functionality depends on the plugins that are
stored in a worm body encrypted
with RSA-like strong crypto algorithm with 128 bits
key. There are up to 32 plugins can
be found in different worm versions. These plugins
perform different actions, they can be
updates from a Web page located at VietMedia.com
website.
The complete worm functionality depends only on its
host that is able to upgrade
plugins from the Web page. The plugins are encrypted
with a RSA-like crypto too.
The worm also updates its plugins by using
alt.comp.virus newsgroup. The worm being
active on a machine connects to a news server (by
using one of randomly selected
servers - there are more than 70 addresses in the
list), converts its plugins to newsgroup
messages and post them there. Worm's messages have
random Subject, for example:
encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
text LNLM
LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
text RFRE rebibmTCDOzGbCjSZ
where first four characters represent plugin "name"
and following four characters
represent the encoded plugin "version". As well as
sending, the worm reads such
messages from alt.comp.virus, gets plugin "name" and
"version" and compares with
plugins that are currently used by the worm. In case a
newsgroup has a message with
higher plugin version, the worm extracts it and
replaces existing one.
The worm drops its plugins to disk as files in Windows
sytem directory. They also have
random name, but the worm is able to access them. The
names may look as follows:
BIBGAHNH.IBG
DACMAPKO.ACM
GAFIBPFM.AFI
IMALADOL.MAL
MALADOLI.ALA
There are several different plugins known:
1. Infect all ZIP and RAR archives on all available
drives from C: till Z:. While infecting
the worm renames EXE files in archive with .EX$
extension and add its copy with .EXE
extension to the archive (companion method of
infection).
2. Send messages with encoded plugins to
"alt.comp.virus" neewsgroup, and gets new
plugins from there.
3. Spread virus to remote machines that have SubSeven
backdoor trojan installed. The
plugin detects such machines on the net, and by using
SubSeven commands uploads
worm copy to the machine and spawns it in there.
4. Encrypt worm copies with polymorphic encryption
loop before sending the copy
attached to email.
5. Affects DOS EXE and Windows PE EXE files. The worm
affects them so that they
become worm droppers. When run, they drop worm's EXE
file to TEMP directory and
execute it.
While affecting DOS EXE file the plugin adds dropper
code and worm body to the end of
a file. These files are can be cured.
While affecting Windows PE EXE file the plugin
overwrites file code section (if is has
enough size). The plugin doesn't touch file header
(including entry point address), and
does not increase file size. Moreover, it has a
anti-CRC (chechsum) routine that fill
special data in plugin code so that file CRC becomes
the same for few common used
CRC algorithms. That means, that some integrity
checkers will not detect changes in
affected files: the file length and file body CRC stay
the same as on clean file.
6. Depending on system date and time (on September 16
and 24, and on 59 minute of
each hour starting from 2001 - in known plugins) the
"spirale" effect is run. It looks like
that:
7. Randomly select Subject, Message text and Attach
name while sending worm copies
with email messages:
From:
Hahaha <[EMAIL PROTECTED]>
Subjects:
Snowhite and the Seven Dwarfs - The REAL story!
Branca de Neve pornô!
Enanito si, pero con que pedazo!
Les 7 coquir nains
Message texts:
C'etait un jour avant son dix huitieme anniversaire.
Les 7
nains, qui avaient aidé 'blanche neige' toutes ces
années après
qu'elle se soit enfuit de chez sa belle mère, lui
avaient promis
une *grosse* surprise. A 5 heures comme toujours, ils
sont
rentrés du travail. Mais cette fois ils avaient un
air coquin...
Today, Snowhite was turning 18. The 7 Dwarfs always
where very
educated and polite with Snowhite. When they go out
work at
mornign, they promissed a *huge* surprise. Snowhite
was anxious.
Suddlently, the door open, and the Seven Dwarfs
enter...
Faltaba apenas un dia para su aniversario de de 18
años. Blanca
de Nieve fuera siempre muy bien cuidada por los
enanitos. Ellos
le prometieron una *grande* sorpresa para su fiesta
de
compleaños. Al entardecer, llegaron. Tenian un brillo
incomun en
los ojos...
Faltava apenas um dia para o seu aniversario de 18
anos. Branca
de Neve estava muito feliz e ansiosa, porque os 7
anões
prometeram uma *grande* surpresa. As cinco horas, os
anõezinhos
voltaram do trabalho. Mas algo nao estava bem... Os
sete
anõezinhos tinham um estranho brilho no olhar...
Attachment names:
enano.exe
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe
sexy virgin.scr
joke.exe
midgets.scr
dwarf4you.exe
blancheneige.exe
sexynain.scr
blanche.scr
nains.exe
branca de neve.scr
atchim.exe
dunga.scr
anão pornô.scr
As well as (depending on its plugin version) the
message Subject is a random
combination of:
Anna + sex
Raquel Darian sexy
Xena hot
Xuxa hottest
Suzete cum
famous cumshot
celebrity rape horny
leather ... e.t.c.
Attachment names:
Anna.exe
Raquel Darian.exe
Xena.exe
Xuxa.exe
Suzete.exe
famous.exe
celebrity rape.exe
leather.exe
sex.exe
sexy.exe
hot.exe
hottest.exe
cum.exe
cumshot.exe
horny.exe
anal.exe
gay.exe
oral.exe
pleasure.exe
asian.exe
lesbians.exe
teens.exe
virgins.exe
boys.exe
girls.exe
SM.exe
sado.exe
cheerleader.exe
orgy.exe
black.exe
blonde.exe
sodomized.exe
hardcore.exe
slut.exe
doggy.exe
suck.exe
messy.exe
kinky.exe
fist-f*cking.exe
amateurs.exe
The worm can also send itself with a random, 8-letter
name, for example
UKSJHHKW.EXE.
In some cases a worm can send itself attached to an
empty message. We also have
reports that it can use the recepient's mail server
directly.
It is advised to excercise extreme caution when
executable attachments arrive in your
inbox, no matter where they come from and how
'trustworthy' a message looks.
Hybris can be successfully disinfected with a fresh
version of FSAV and the latest
updates for it.
http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml
Note that Hybris file(s) might be locked while Windows
is active and older versions of
FSAV for Windows might not be able to remove it. In
this case you can exit to DOS and
remove Hybris file(s) manually.
You can also use a free version of F-Prot for DOS to
remove Hybris from an infected
system. It is a requirement to perform disinfection
from pure DOS.
ftp://ftp.europe.F-Secure.com/anti-virus/free/
ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/
Note: As Hybris has a plugin that infects EXE files,
it is advised to disinfect all infected
files first and then to remove all locked Hybris
components manually.
[Eugene Kaspersky, KL; Alexey Podrezov, F-Secure
Corp.; Nov 2000 - Jan 2001]
--
Jean-Michel Reghem
Voice Technology Development Engineer
E-Mail : mailto:[EMAIL PROTECTED]
Babel Technologies S.A.
Boulevard Dolez 33 B-7000 Mons (Belgium)
Tel: (+32) 65.37.42.75 Fax: (+32) 65.37.42.76
http://www.babeltech.com
Des Cadeaux, des avantages et des offres qui vous interessent ?
http://www.justforyou.be... what you want is what you get !
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CCTK vous est offert par Ex Machina <http://www.exmachina.net>
Pour vous desabonner <mailto:[EMAIL PROTECTED]>
