http://news.cnet.com/news/0-1005-200-3726171.html?tag=st.ne.ni.rnbot.rn.ni "Low risk" worm could squirm into trouble By Paul Festa Staff Writer, CNET News.com November 16, 2000, 11:35 a.m. PT URL: http://news.cnet.com/news/0-1005-200-3726171.html Is it a worm or a chameleon? Antivirus companies say a worm called Hybris carries no destructive payload and is relatively harmless. But because it is written so that it can update itself as it spreads, some caution that it could still prove to be a menace. The worm comes as an email attachment that, when opened, replaces a file on the recipient's computer called "WSOCK32.DLL," a dynamic linking library. DLLs are files that application programmers use to share code among various Windows applications. Once it has replaced the DLL, Hybris monitors outgoing email and distributes copies of itself to recipients, randomly generating the name of the attached payload. The worm's chameleon-like nature stems from its ability to download encrypted components from the Internet in a method first introduced by the W95/Babylonia worm, according to antivirus company McAfee. Babylonia is a Brazilian virus discovered last year after it was posted to a newsgroup in the guise of a help file, which also downloaded components from the Internet. The Web site where those components originated was quickly shut down, according to McAfee. Hybris is updating its components from the "alt.comp.virus" newsgroup, as well as from a Web site, antivirus company Kaspersky Lab wrote in an alert. Kaspersky warned that the replacement of certain components could turn Hybris from harmless to hazardous. "What we have here is perhaps the most complex and refined malicious code in the history of virus writing," Eugene Kaspersky, the head of Kaspersky Lab, said in a statement. "Firstly, it is defined by an extremely complex style of programming. Secondly, all the plugins are encrypted with very strong RSA 128-bit crypto-algorithm key. Thirdly, the components themselves give the virus writer the possibility to modify his creation 'in real time,' and in fact allow him to control infected computers worldwide." But security experts said that Hybris' technical edge might not guarantee it any success in the wild. "A high degree of sophistication does not necessarily make a virus successful," Elias Levy, analyst at SecurityFocus.com, wrote in an email interview. "Many dumb viruses have caused more damage than the really technically interesting articles. There are many factors that determine whether a worm/virus is successful and we don't know what they all are." McAfee recommended that people delete unexpected attachments to prevent further spread of the worm, which it rated "low risk." According to antivirus firm Trend Micro, which also rated Hybris "low risk," the infected message reads: "Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter..." (sic) Kaspersky said reports of Hybris had stepped up since its discovery in September, particularly in Latin America, and to a lesser extent in Europe as well. http://www.datafellows.com/v-descs/hybris.htm NAME: Hybris ALIAS: IWorm_Hybris, I-Worm.Hybris Hybris is an Internet worm that spreads itself as an attachment to email messages. The worm works under Win32 systems only. The worm contains components (plugins) in its code that are executed depending on what worm needs, and these components can be upgraded from an Internet Web site. The major worm versions are encrypted with semi-polymorphic encryption loop. The worm contains the following encrypted text strings: HYBRIS (c) Vecna The main worm's target on computes it tries to infect is the WSOCK32.DLL library. While infecting this DLL the worm: - writes itself to the end of last file section - hooks "connect", "recv", "send" functions - modifies DLL entry routine address (a routine that is activated when DLL file is being loaded) and encrypts original entry routine If the worm is not able to infect WSOCK32.DLL at its startup (in case it is in use and is locked for writing) the worm creates a copy of this library (a copy of WSOCK32.DLL with random name), infects it and writes "rename" instruction to WININIT.INI file. As a result WSOCK32.DLL will be replaced with an infected one on next Windows startup. The worm also creates its copy with random name in Windows system directory and registers it in RunOnce registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce {Default} = %WinSystem%\WormName or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce {Default} = %WinSystem%\WormName where %WinSystem% is Windows system directory, and "WormName" is random name, for example: CCMBOIFM.EXE LPHBNGAE.EXE LFPCMOIF.EXE There is only one possible reason to register additional worm copy in "RunOnce" registry key: in case WSOCK32.DLL was not infected on first worm run, and its infected copy was not created because of some reason, the "RunOnce" worm copy will complete the task on next Windows restart. Being active the worm intercepts Windows function that establish a network connection, including Internet. The worm intercepts data that is sent and received, and scans it for email addresses. When address(es) is detected, the worm waits for some time and then sends an infected message to that address(es). The worm functionality depends on the plugins that are stored in a worm body encrypted with RSA-like strong crypto algorithm with 128 bits key. There are up to 32 plugins can be found in different worm versions. These plugins perform different actions, they can be updates from a Web page located at VietMedia.com website. The complete worm functionality depends only on its host that is able to upgrade plugins from the Web page. The plugins are encrypted with a RSA-like crypto too. The worm also updates its plugins by using alt.comp.virus newsgroup. The worm being active on a machine connects to a news server (by using one of randomly selected servers - there are more than 70 addresses in the list), converts its plugins to newsgroup messages and post them there. Worm's messages have random Subject, for example: encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH text RFRE rebibmTCDOzGbCjSZ where first four characters represent plugin "name" and following four characters represent the encoded plugin "version". As well as sending, the worm reads such messages from alt.comp.virus, gets plugin "name" and "version" and compares with plugins that are currently used by the worm. In case a newsgroup has a message with higher plugin version, the worm extracts it and replaces existing one. The worm drops its plugins to disk as files in Windows sytem directory. They also have random name, but the worm is able to access them. The names may look as follows: BIBGAHNH.IBG DACMAPKO.ACM GAFIBPFM.AFI IMALADOL.MAL MALADOLI.ALA There are several different plugins known: 1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting the worm renames EXE files in archive with .EX$ extension and add its copy with .EXE extension to the archive ({companion:Comp} method of infection). 2. Send messages with encoded plugins to "alt.comp.virus" neewsgroup, and gets new plugins from there. 3. Spread virus to remote machines that have SubSeven backdoor trojan installed. The plugin detects such machines on the net, and by using SubSeven commands uploads worm copy to the machine and spawns it in there. 4. Encrypt worm copies with polymorphic encryption loop before sending the copy attached to email. 5. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become worm droppers. When run, they drop worm's EXE file to TEMP directory and execute it. While affecting DOS EXE file the plugin adds dropper code and worm body to the end of a file. These files are can be cured. While affecting Windows PE EXE file the plugin overwrites file code section (if is has enough size). The plugin doesn't touch file header (including entry point address), and does not increase file size. Moreover, it has a anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected files: the file length and file body CRC stay the same as on clean file. 6. Randomly select Subject, Message text and Attach name while sending worm copies with email messages: From: Hahaha <[EMAIL PROTECTED]> Subjects: Snowhite and the Seven Dwarfs - The REAL story! Branca de Neve pornô! Enanito si, pero con que pedazo! Les 7 coquir nains Message texts: C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui avaient aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin... Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... Faltaba apenas un dia para su aniversario de de 18 años. Blanca de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos... Faltava apenas um dia para o seu aniversario de 18 anos. Branca de Neve estava muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa. As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete anõezinhos tinham um estranho brilho no olhar... Attachment names: enano.exe enano porno.exe blanca de nieve.scr enanito fisgon.exe sexy virgin.scr joke.exe midgets.scr dwarf4you.exe blancheneige.exe sexynain.scr blanche.scr nains.exe branca de neve.scr atchim.exe dunga.scr anão pornô.scr As well as (depending on its plugin version) the message Subject is a random combination of: Anna + sex Raquel Darian sexy Xena hot Xuxa hottest Suzete cum famous cumshot celebrity rape horny leather ... e.t.c. Attachment names: Anna.exe Raquel Darian.exe Xena.exe Xuxa.exe Suzete.exe famous.exe celebrity rape.exe leather.exe sex.exe sexy.exe hot.exe hottest.exe cum.exe cumshot.exe horny.exe anal.exe gay.exe oral.exe pleasure.exe asian.exe lesbians.exe teens.exe virgins.exe boys.exe girls.exe SM.exe sado.exe cheerleader.exe orgy.exe black.exe blonde.exe sodomized.exe hardcore.exe slut.exe doggy.exe suck.exe messy.exe kinky.exe fist-f*cking.exe amateurs.exe It is advised to excercise extreme caution when executable attachments arrive in your inbox, no matter where they come from and how 'trustworthy' a message looks. [Analysis: Eugene Kaspersky, KL; November 2000] ======================================================================= Patrick Dunford, Christchurch, NZ - http://pdunford.godzone.net.nz/ Therefore I tell you that no one who is speaking by the Spirit of God says, "Jesus be cursed," and no one can say, "Jesus is Lord," except by the Holy Spirit. -- 1 Corinthians 12:3 http://www.heartlight.org/cgi-shl/todaysverse.cgi?day=20001203 ======================================================================= Created by Mail2Sig - http://pdunford.godzone.net.nz/software/mail2sig/ --------------------------------------------------------------------------- New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] Website: http://www.delphi.org.nz
