Hello from Silicon Valley,
Sorry for the wide distribution but there is a very real virus going
around. I got this info from someone who's job it is to either validate
or de-bunk viruses:
Dano
>
> Hybris (Also known as Win32.Hybris)
> Win32.Hybris is an e-mail worm which modifies WSOCK32.DLL to intercept
> outgoing messages in a manner similar to Happy99 <happy99.htm> (which is
> also known as SKA).
> However, what differentiates Hybris is its ability to update itself and
> extend its functionality using "plugins". This means that what began as a
> simple e-mail worm can mutate, complete with new methods of spreading and
> avoiding detection.
> The body of Hybris contains the basic functions required for infecting
> systems and propagating through e-mail. When the worm is run, it
immediately
> attempts to modify WSOCK32.DLL in the Windows System directory. If the
file
> is in use, it will create a modified copy and modify WININIT.INI so the
> infected copy will replace the original the next time Windows is started.
> The temporary copy of WSOCK32.DLL is given a random filename consisting
of 8
> capital letters from A to P, for example "AFFJOPPF".
> The modified WSOCK32.DLL intercepts connections made and data sent and
> received by the host. It searches the information looking for e-mail
> addresses. After some time, and after checking that there is an active
> Internet connection, the worm will send its own e-mail message to the
> addresses it collects. The message will include a copy of the worm as an
> attachment.
> The "From" and "Subject" fields, along with the message body and name of
the
> attachment are almost infinitely variable, as they are derived from one
of
> the plugins, called "text". The earlier versions of this plugin would set
> the subject to:
> "Snowhite and the Seven Dwarfs - The REAL story!"
> The body would be set to:
> "Today, Snowhite was turning 18. The 7 Dwarfs always where very
> educated and polite with Snowhite. When they go out work at mornign, they
> promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door
> open, and the Seven Dwarfs enter..."
> The filename was randomly chosen from the following list:
> "sexy virgin.scr"
> "joke.exe"
> "midgets.scr"
> "dwarf4you.exe"
> There is also a "text" plugin which has a similar message and similar
> filenames, except they are also in French, Spanish or Portuguese
depending
> on the language of the host system. Another known "text" plugin will
> generate the subject and body randomly from a list of words such as
"sex",
> "horny", "pleasure", etc.
> The other most common plugins include one that downloads new plugins from
a
> web site, and one which can send and receive plugins from the
alt.comp.virus
> newsgroup. This enables the worm to automatically keep up-to-date with
the
> latest available plugins. The plugins are retrieved and stored in
encrypted
> form and decrypted when needed. The worm supports up to 32 different
> plugins.
> One of the Hybris plugins, called "avip", will block access to particular
> web sites related to anti-virus organizations, based on their IP
addresses.
> For example, infected machines will not be able to connect to:
> www.vet.com.au
> www.nai.com
> www.sophos.com
> www.pandasoftware.com
> www.kasperksy.com
> www.wildlist.org
> www.symantec.com
> www.irisav.com
> www.antivirus.com
> Please note that this is not a complete list. Also, due to the way the
> plugin checks IP addresses, it may also block access to other web sites
> which are not anti-virus related.
> Another plugin worth noting is the "spiral" plugin which displays, on the
> screen, an animated spiral graphic image. The image covers much of the
> desktop and is next to impossible to close, due to the way it hides its
> process. If the date is the 16th or the 24th of September of any year, or
it
> is the 59th minute of any hour in the year 2001, the plugin drops a file
in
> the Windows System directory and adds this filename to the "run=" line in
> WIN.INI. The filename is generated randomly, but will always be 8 letters
> followed by the extension ".EXE". Once this executable is installed, it
will
> display the spiral every time the machine is restarted.
> <<hybris_spiral_plugin.gif>>
> There are also plugins available that encrypt the worm with a polymorphic
> encryption loop, infect DOS and Windows EXE files, and to add the worm to
> any .ZIP and .RAR files on the hard disk. The plugin that infects Windows
> EXE files sometimes corrupts the files; the infected programs will often
> crash and are not cleanable.
> Cleaning:
> For VET and InoculateIT Personal Edition customers
> The latest virus engine with the latest virus signature files installed
will
> clean WSOCK32.DLL and any other files infected with the Win32.Hybris
worm.
> To clean the virus from your machine you should:
> Perform a full scan of your machine.
> When prompted by VET/IPE, reboot your computer.
> If the worm has badly corrupted any system files and VET/IPE is unable to
> clean them, you will need to replace the corrupted copies of the file/s
with
> clean copies.
> For Inoculan customers
> To clean the virus from your machine you should (with your up-to-date
> software):
> Use cleaning mode to scan all files on your computer.
> If there are errors curing the EXE files, make sure that the
> applications are not currently running. If they are, close the infected
> applications and cure again.
> If you still have errors curing the files, replace them from backup.
>
> If there is an error curing WSOCK32.DLL, close all the applications
> that use the Internet (Internet Explorer, Netscape, ICQ etc) and cure
again.
>
> If this is unsuccessful, reboot into DOS mode and cure WSOCK32.DLL
> using Inoculan for DOS.
>
>
>**********************************************************************
Hi gang. I just wanted to let you know that I found what I suspect is a
virus in my outgoing mail options under the signatures tab.
Since I am unsure of the nature of the file which was labled
C:\Windows\kak.htm
Since I recall several months ago that a virus was circulating through the
outgoing signatures files, I thought I'd alert all of you to the
possibility of its existence and to check your computers.
If anyone can identify this as such, I'd certainly appreciate it.
Thanks,
Rick
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
_________________________
To unsubscribe from this list, send a message to [EMAIL PROTECTED] with
"unsubscribe doobiefans-list" in the body.
