Friday, December 22, 2000
The Hybris Virus Comes in Many Variations
Internet users are warned of the continued discovery of variations of the Internet worm Hybris. Reports of the discovery of this virus "in the wild" world-wide is being continually reported in many different variations, being particularly active in Latin America although infections by this virus have also been found in Europe, Malta included.
The first version of this Internet worm was discovered by Kaspersky Lab and several other anti-virus software developers at the end of September and was classified as a low risk malicious program. However, within the last few days, virus analysts have been inundated by reports from users whose computers have been infected by this virus. At this moment, Kaspersky Lab alone has discovered five versions of Hybris, and it is expected that new variations will be found in the near future.
The Internet worm Hybris spreads by attaching itself to infected e-mails and works only under MS Windows. When the recipient executes the attached file, Hybris infects the host PC. The procedure for infection is typical for this type of malicious program and is performed in a similar way to the Happy or MTX viruses.
To proliferate, the worm infects the WSOCK32.DLL library and also intercepts the Windows function that establishes the network connection; it then scans sent and received data for any e-mail addresses, and sends copies of itself to these e-mail addresses. Subject, text and name of the attached file appearing in English, French, Portuguese, or Spanish -- the language is chosen randomly. An example in English follows:
From: Hahaha hahaha@sexyfun.net
Subject: Snowhite and the seven
Dwarfs - The REAL Story!
Attachment: dwarf4you.exe
In addition, this worm has some specific features. Hybris contains several (up to 32) components (plugins) in its code and executes them depending on its needs. The worm’s functionality is mostly defined by the plugins. They are stored in the body of the worm and are encrypted by a very strong crypto algorithm.
However, the main peculiarity is that Hybris maintains the functionality of the plugins: it sends its own components to the anti-virus conference "alt.comp.virus" and downloads from there any upgraded or missing plugins. The virus components can also be updated by the worm from the author’s Web page, via the Internet. So far, plugins found in the known versions of this virus and those at the Web site are fairly harmless and do not cause any direct damage. But, the fact that they can be updated means that they may be given completely different functions, for example, installing a Trojan horse backdoor. Although there have previously been some cases when a malicious program has been updated from the Internet, this is the first time it has occurred on this scale "in the wild."
The protection procedure against the Internet worm Hybris and its
versions have now been added to the anti-virus databases of most major
virus scanners.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5)THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
