On Mon, Apr 23, 2001 at 07:31:53PM +0300, Stanislav Lechev wrote:
>
> ami mnogo prosto ako si izpusnal prednoto msg nqma da znesh za kwo stawa duma
>
> a na tebe kwo ti prechat reply-ite ???
������ � ����, �� �� 2 ���� ������� (��������� 1 ���� � 1 �����������) ��
�������� �� 10-15� ���������. ���� ����� �� �� �� ������ ���� �� ����� (�� ��
���� �� ����):
---> cut <---
> ����� ����� ������� �����!
>
> ME:
> Hybris
> ALIAS:
> IWorm_Hybris, I-Worm.Hybris
>
>
> Hybris is an Internet worm that spreads itself as an attachment to email messages.
>The worm works under
> Win32 systems only. The worm contains components (plugins) in its code that are
>executed depending on
> what worm needs, and these components can be upgraded from an Internet Web site.
>The major worm
> versions are encrypted with semi-polymorphic encryption loop.
>
> The worm contains the following encrypted text strings:
>
> HYBRIS
> (c) Vecna
>
> The main worm's target on computes it tries to infect is the WSOCK32.DLL library.
>While infecting this DLL
> the worm:
>
> - writes itself to the end of last file section - hooks "connect", "recv", "send"
>functions - modifies DLL entry
> routine address (a routine that is activated
>
> when DLL file is being loaded) and encrypts original entry
> routine
>
> If the worm is not able to infect WSOCK32.DLL at its startup (in case it is in use
>and is locked for writing) the
> worm creates a copy of this library (a copy of WSOCK32.DLL with random name),
>infects it and writes
> "rename" instruction to WININIT.INI file. As a result WSOCK32.DLL will be replaced
>with an infected one on
> next Windows startup.
>
> The worm also creates its copy with random name in Windows system directory and
>registers it in RunOnce
> registry key:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
> {Default} = %WinSystem%\WormName
>
> or
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> {Default} = %WinSystem%\WormName
>
> where %WinSystem% is Windows system directory, and "WormName" is random name, for
>example:
>
> CCMBOIFM.EXE
> LPHBNGAE.EXE
> LFPCMOIF.EXE
>
> There is only one possible reason to register additional worm copy in "RunOnce"
>registry key: in case
> WSOCK32.DLL was not infected on first worm run, and its infected copy was not
>created because of some
> reason, the "RunOnce" worm copy will complete the task on next Windows restart.
>
> Being active the worm intercepts Windows function that establish a network
>connection, including Internet.
> The worm intercepts data that is sent and received, and scans it for email
>addresses. When address(es) is
> detected, the worm waits for some time and then sends an infected message to that
>address(es).
>
> The worm functionality depends on the plugins that are stored in a worm body
>encrypted with RSA-like
> strong crypto algorithm with 128 bits key. There are up to 32 plugins can be found
>in different worm versions.
> These plugins perform different actions, they can be updates from a Web page
>located at VietMedia.com
> website.
>
> The complete worm functionality depends only on its host that is able to upgrade
>plugins from the Web page.
> The plugins are encrypted with a RSA-like crypto too.
>
> The worm also updates its plugins by using alt.comp.virus newsgroup. The worm
>being active on a machine
> connects to a news server (by using one of randomly selected servers - there are
>more than 70 addresses in
> the list), converts its plugins to newsgroup messages and post them there. Worm's
>messages have random
> Subject, for example:
>
> encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
> encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
> text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
> text RFRE rebibmTCDOzGbCjSZ
>
> where first four characters represent plugin "name" and following four characters
>represent the encoded
> plugin "version". As well as sending, the worm reads such messages from
>alt.comp.virus, gets plugin "name"
> and "version" and compares with plugins that are currently used by the worm. In
>case a newsgroup has a
> message with higher plugin version, the worm extracts it and replaces existing
>one.
>
> The worm drops its plugins to disk as files in Windows sytem directory. They also
>have random name, but the
> worm is able to access them. The names may look as follows:
>
> BIBGAHNH.IBG
> DACMAPKO.ACM
> GAFIBPFM.AFI
> IMALADOL.MAL
> MALADOLI.ALA
>
> There are several different plugins known:
>
> 1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While
>infecting the worm renames EXE
> files in archive with .EX$ extension and add its copy with .EXE extension to the
>archive (companion method
> of infection).
>
> 2. Send messages with encoded plugins to "alt.comp.virus" neewsgroup, and gets new
>plugins from there.
>
> 3. Spread virus to remote machines that have SubSeven backdoor trojan installed.
>The plugin detects such
> machines on the net, and by using SubSeven commands uploads worm copy to the
>machine and spawns it in
> there.
>
> 4. Encrypt worm copies with polymorphic encryption loop before sending the copy
>attached to email.
>
> 5. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they
>become worm droppers.
> When run, they drop worm's EXE file to TEMP directory and execute it.
>
> While affecting DOS EXE file the plugin adds dropper code and worm body to the end
>of a file. These files are
> can be cured.
>
> While affecting Windows PE EXE file the plugin overwrites file code section (if is
>has enough size). The plugin
> doesn't touch file header (including entry point address), and does not increase
>file size. Moreover, it has a
> anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC
>becomes the same for few
> common used CRC algorithms. That means, that some integrity checkers will not
>detect changes in affected
> files: the file length and file body CRC stay the same as on clean file
>
> 6. Randomly select Subject, Message text and Attach name while sending worm copies
>with email messages:
>
> From:
>
> Hahaha <[EMAIL PROTECTED]>
>
> Subjects:
>
> Snowhite and the Seven Dwarfs - The REAL story!
> Branca de Neve porn�!
> Enanito si, pero con que pedazo!
> Les 7 coquir nains
>
> Message texts:
>
> C'etait un jour avant son dix huitieme anniversaire. Les 7
> nains, qui avaient aid� 'blanche neige' toutes ces ann�es apr�s
> qu'elle se soit enfuit de chez sa belle m�re, lui avaient promis
> une *grosse* surprise. A 5 heures comme toujours, ils sont
> rentr�s du travail. Mais cette fois ils avaient un air coquin...
>
> Today, Snowhite was turning 18. The 7 Dwarfs always where very
> educated and polite with Snowhite. When they go out work at
> mornign, they promissed a *huge* surprise. Snowhite was anxious.
> Suddlently, the door open, and the Seven Dwarfs enter...
>
> Faltaba apenas un dia para su aniversario de de 18 a�os. Blanca
> de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos
> le prometieron una *grande* sorpresa para su fiesta de
> complea�os. Al entardecer, llegaron. Tenian un brillo incomun en
> los ojos...
>
> Faltava apenas um dia para o seu aniversario de 18 anos. Branca
> de Neve estava muito feliz e ansiosa, porque os 7 an�es
> prometeram uma *grande* surpresa. As cinco horas, os an�ezinhos
> voltaram do trabalho. Mas algo nao estava bem... Os sete
> an�ezinhos tinham um estranho brilho no olhar...
>
> Attachment names:
>
> enano.exe
> enano porno.exe
> blanca de nieve.scr
> enanito fisgon.exe
> sexy virgin.scr
> joke.exe
> midgets.scr
> dwarf4you.exe
> blancheneige.exe
> sexynain.scr
> blanche.scr
> nains.exe
> branca de neve.scr
> atchim.exe
> dunga.scr
> an�o porn�.scr
>
> As well as (depending on its plugin version) the message Subject is a random
>combination of:
>
> Anna + sex
> Raquel Darian sexy
> Xena hot
> Xuxa hottest
> Suzete cum
> famous cumshot
> celebrity rape horny
> leather ... e.t.c.
>
> Attachment names:
>
> Anna.exe
> Raquel Darian.exe
> Xena.exe
> Xuxa.exe
> Suzete.exe
> famous.exe
> celebrity rape.exe
> leather.exe
> sex.exe
> sexy.exe
> hot.exe
> hottest.exe
> cum.exe
> cumshot.exe
> horny.exe
> anal.exe
> gay.exe
> oral.exe
> pleasure.exe
> asian.exe
> lesbians.exe
> teens.exe
> virgins.exe
> boys.exe
> girls.exe
> SM.exe
> sado.exe
> cheerleader.exe
> orgy.exe
> black.exe
> blonde.exe
> sodomized.exe
> hardcore.exe
> slut.exe
> doggy.exe
> suck.exe
> messy.exe
> kinky.exe
> fist-f*cking.exe
> amateurs.exe
>
> It is advised to excercise extreme caution when executable attachments arrive in
>your inbox, no matter where
> they come from and how 'trustworthy' a message looks.
�� ��� �� ����! ;P
---> cut <---
� ���� ���� �� ���� ���� �� ����� �������? ��� ���� ���� �������� netiquette.
������ �� �� �������� ��� ����� ��������. ���� �� ����� �� ����� �� ��������
200� ���� � 5� ������� ���������� ��� ��� ����� �� �� �� ���� �� ����� Subject
� ����������� �� 3-4 ����... ���� �� �� ���� ������� ������� ��� ��� �� �����
"������������� ����� �� ���������� �������" ��� ���� �������, �� ������ ��� �
_�����������_ �� ���� LUG.
������� �� ���. �� ������ ���� ����� ;-)
--
=- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
Theodor Milkov Administrator IP Networks
Davidov Electric Ltd. Phone: +359 (2) 730158
PGP: http://www.zimage.delbg.com/zimage.asc
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
PGP signature
