Hybris is the very latest type of virus and potentially a nasty one,
designed to cloak itself against detection. There was some other stuff I was
reading, like it stops EXE files from executing because of a bug in itself.
Here's what SARC has to say about it:
http://www.symantec.com/avcenter/venc/data/w32.hybris.gen.html
W32.Hybris.gen
Discovered on: September 25, 2000
Last Updated on: November 16, 2000 0 9:52:35 AM PST
W32.Hybris is worm that spreads by email as an attachment to outgoing
emails. It was discovered in late September of 2000. Although minimum
reports of infection were reported in October 2000, the worm started to
become common in early Nov 2000.
Also known as: W32.Hybris.22528.dr, W32/Hybris.gen@M, I-Worm.Hybris
Category: Worm
Virus definitions: September 25, 2000
Threat assessment:
Wild:
Medium Damage:
Low Distribution:
High
Wild
Number of infections: 50-999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Distribution
Name of attachment: Random with EXE or SCR file name extension
Technical description:
When the worm attachment is executed, the WSOCK32.DLL file will be modified
or replaced. This will give the worm the ability to attach itself to all
outbound email. The email attachment will have a random name but the
filename extension is either EXE or SCR).
The worm attempts to connect to the newsgroup alt.comp.virus. After it
connects successfully, the worm uploads its own plug-ins in an encrypted
form to this newsgroup. It goes thru the subject header of the messages, and
tries to match a specific format. The subject header will also specify the
version number of the attached plug-in if these plug-ins are indeed present.
If a newer version of plug-ins is found, the worm downloads these modules
and updates its behavior. For example, there are known modules that give the
worm ability to infect compressed files like ZIP.
If WSOCK32.DLL is being used by the system, the worm will be unable to
modify this file. Thus, in this situation, the worm will add a registry key
to one of the following subtrees:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
It will always alternate between these two trees mentioned above as the worm
spreads from one machine to another. The worm hooks on the following exports
on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an
email to a person, the worm will also send out another email to the same
person attaching a copy of itself using a randomly generated filename.
Removal:
Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files
detected as W32.Hybris contain only the virus body and must be deleted.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Jeremy Coulter
> Sent: Monday, 4 December 2000 22:42
> To: Multiple recipients of list offtopic
> Subject: RE: [DUG-OFFTOPIC]: RE: HAHAHA Email...FOR GODS SAKE DONT OPEN
> THE ATTACHMENT!
>
>
> it alters the winsock dll.... I was reading about it on the Symantec site
> the otherday...but as usual I cant find it again.
>
> basically what you have to do, is goto your regeistry, and in the
> localmachine and the currentuser sections under software, microsoft,
> currentversion...othere there abouts there is a sectioncalled runonce.
> int there it adds some entries to alter the winsock.dll (or it might be
> wsock.dll), and you have to delete this section BEFORE you reboot
> so that it
> doenst alter the dll next time you reboot.
> IF you alreday have, you wil have to put the winsock.dll onto floppy, boot
> into dos and replace it, then you should be fine again.....
>
> hope htis helps....
>
> Jeremy Coulter
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Nello Sestini
> > Sent: Monday, December 04, 2000 9:18 PM
> > To: Multiple recipients of list offtopic
> > Subject: Re: [DUG-OFFTOPIC]: RE: HAHAHA Email...FOR GODS SAKE DONT OPEN
> > THE ATTACHMENT!
> >
> >
> > >Whta does this virus do exactly?
> >
> >
> > Norton identified the attachment as
> >
> > W95.Hybris.gen
> >
> > (that's their name for it - there is no universal
> > computer virus taxonomy AFAIK)
> >
> > they describe it as "infects EXE files"
> >
> >
> > Beyond that I have no idea what it does
> > (and don't want to know <g>)
> >
> > -ns
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------
> > ---------
> > New Zealand Delphi Users group - Offtopic List -
> [EMAIL PROTECTED]
> > Website: http://www.delphi.org.nz
>
> ------------------------------------------------------------------
> ---------
> New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED]
> Website: http://www.delphi.org.nz
>
---------------------------------------------------------------------------
New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED]
Website: http://www.delphi.org.nz
