W32/Hybris.gen@MM

This page shows details and results of our analysis on the malware W32/Hybris.gen@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4101 (2000-10-25)

Updated DAT

4363 (2004-05-26)

Minimum Engine

5400.1158

File Length

25,088 bytes

Description Added

2000-11-01

Description Modified

2001-09-10

Malware Proliferation

Characteristics

This worm will be received in an email message which may contain the following information:

From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe

When first executed, this worm tries to infect the WSOCK32.DLL file in the WINDOWS\SYSTEM directory. First it tries to infect the WSOCK32.DLL file directly. If it fails because the file is already in use, then it creates an infected copy on the WSOCK32.DLL in a new file. This new file goes by an extensionless filename made up of 8 random characters. A line is then created in the WININIT.INI file to rename this newly created file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system is booted. A registry value under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default) is also created to run the worm at the next bootup, in case the previous attempts to infect WSOCK32.DLL fail.

The modified WSOCK32.DLL file watches all Internet activity and attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to any valid e-mail address sent over the Internet connection, whether part of a e-mail message, web page, or newsgroup posting. AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.

This Internet worm originally downloaded encrypted update components from an Internet web site, similar to the method first used by W95/Babylonia, but the site hosting the virus was taken down. The original plugins were:

HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
Currently this virus downloads plugins from alt.comp.virus. The virus contains an internal list of several news servers it can access. It searches the newsgroup for any plugins that it doesn't have, or has older versions of. Since the worm searches all Internet activity for e-mail addresses, people who post to alt.comp.virus using their real e-mail address may get many copies of the worm when Hybris searches alt.comp.virus for new plugins.

When a full moon occurs according to the computer's internal clock, the virus will randomly post its plugins to the alt.comp.virus newsgroup. It uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins with a fake return address of root@microsoft.com.

This Internet worm contains the text:

HYBRIS
(c) Vecna

Symptoms

Mail recipients claiming they received an attachment from you when one was never sent. Depending on plugins installed, spiral graphic on the screen, inability to access antivirus sites.

Method of Infection

The format of the newsgroup-posted message is as follows:

anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters]
Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46 

KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
**** 
The plugins are saved to the WINDOWS\SYSTEM directory with a random name consisting of a name consisting of eight random letters and an extension consisting of three random letters. The plugins are signed using public-key cryptography. That means that all the copies of the worm carry a public key which will only accept plugins digitally signed by the private key. Only the virus author has the private key so only plugins that he approves will be accepted by the virus. Some of the current plugins are:
  • @@@@ or SPIRALE - This creates a file which displays a graphic of a "spiral" that cannot be closed or stopped. The file has a name consisting of eight random letters, and is loaded using the run= line of the [windows] section of win.ini. This spiral graphic is launched by this Internet worm on September 24th, or when the number of minutes are equal to 59 in the year 2001.
  • I_RZ - Adds a copy of the worm to ZIP and RAR archives containing EXE files. The original EXE file is renamed to an EX$ extension, and a copy of the virus takes the place of the original EXE file.
  • AVIP or AVINET.DAT - Blocks the infected computer from visiting certain antivirus websites by IP address, similiar to the W95/MTX virus.
  • SUB7 - Searches for computers infected with the BackDoor-G trojan, and copies and executes itself on infected machines.
  • ENCR or POLY - Encrypts the virus with a polymorphic routine. Note that in spite of the polymorphic routine, VirusScan detects all of the permutations of the virus when using updated engine and DAT files.
  • TEXT or PR0N - This creates the message that the virus is sent with, depending on the language installed on the infected system:

    English:

    From: Hahaha [hahaha@sexyfun.net]
    Subject: Snowhite and the Seven Dwarfs - The REAL story!
    Body: Today, Snowhite was turning 18. The 7 Dwarfs
    always where very educated and polite with Snowhite.
    When they go out work at mornign, they promissed a
    *huge* surprise. Snowhite was anxious. Suddlently, the
    door open, and the Seven Dwarfs enter...
    Attachment: sexy virgin.scr or joke.exe or midgets.scr
    or dwarf4you.exe
    
    French:
    From: Hahaha [hahaha@sexyfun.net]
    Subject: Les 7 coquir nains *or* Blanche neige et ...les
    sexe nains
    Body: C'etait un jour avant son dix huitieme
    anniversaire. Les 7 nains, qui avaient aid 'blanche
    neige' toutes ces annes aprs qu'elle se soit enfuit de
    chez sa belle mre, lui avaient promis une *grosse*
    surprise. A 5 heures comme toujours, ils sont rentrs du
    travail. Mais cette fois ils avaient un air coquin...
    Attachment:  blancheneige.exe or sexynain.scr or
    blanche.scr or nains.exe
    
    Spanish:
    From: Hahaha [hahaha@sexyfun.net]
    Subject: Enanito si, pero con que pedazo!
    Body: Faltaba apenas un dia para su aniversario de de 18
    aos. Blanca de Nieve fuera siempre muy bien cuidada por
    los enanitos. Ellos le prometieron una *grande* sorpresa
    para su fiesta de compleaos. Al entardecer, llegaron.
    Tenian un brillo incomun en los ojos...
    Attachment: enano.exe or enano porno.exe or blanca de
    nieve.scr or enanito fisgon.exe
    
    Portuguese:
    From: Hahaha [hahaha@sexyfun.net]
    Subject: Branca de Neve porn!
    Body: Faltava apenas um dia para o seu aniversario de
    18 anos. Branca de Neve estava muito feliz e ansiosa,
    porque os 7 anes prometeram uma *grande* surpresa.
    As cinco horas, os anezinhos voltaram do trabalho.
    Mas algo nao estava bem... Os sete anezinhos tinham
    um estranho brilho no olhar...
    Attachment:  branca de neve.scr or atchim.exe or
    dunga.scr or ano porn.scr
    
    
    A later version of the plugin creates e-mails by choosing random words from "Anna" "Raquel Darian" "Xena" "Xuxa" "Suzete" "famous" "celebrity rape" "leather" and "sex" "sexy" "hot" "hottest" "cum" "cumshot" "horny "anal" "gay" "oral" , etc.

    Note that the infected e-mails do not actually come from the sexyfun.net domain, they are sent unknowingly with a fake return address by infected users.

    If Hybris does not have a plugin capable of generating message text, it will send a message with no subject or sender and a copy of itself with a name consisting of eight random letters.

  • DOSEXE.DAT or EXEI- Infects DOS EXE files to contain a virus dropper. These files can be repaired by VirusScan as W32/Hybris.exe.
  • I_PE - Infects PE files without increasing their size. It also adds data so that some checksumming algorithms will generate the same checksum before and after infection. These files cannot be repaired.
  • HTTP - This downloaded plugins from a website before it was shut down.
  • NEWS - This plugin posts plugins and downloads new ones from alt.comp.virus as described above.
Because plugins can change the virus behaviour so quickly, infected users are urged to use the latest engine and DAT files, and to set their antivirus software to scan all files. VirusScan will repair the infected wsock32.dll as W32/Hybris.gen.dll@M, but we recommend users restore it from the original disks to be certain.

Removal

Use specified engine and DAT files for detection and removal.

Windows 95/98 systems require rebooting to MS-DOS mode and scanning with the command line scanner SCANPM in order to clean such files as EXPLORER.EXE and TASKMON.EXE. Use the command line scanner such as
"SCANPM.EXE C: /CLEAN /ALL"

The WSOCK32.DLL file can be restored from backup. This can be done by:

Use SFC to recover WSOCK32.DLL using instructions below for Windows 98/ME.

Windows 98/ME
- (Win98 only) Click the START MENU|RUN, type SFC and click OK. Choose Extract one file from the installation disk
- (WinME only) Click the START MENU|RUN, type MSCONFIG and click OK. Click the EXTRACT FILE... button
(Both Win98/ME)
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the Win98 (or WinME) directory on your Windows CD-ROM
- Click OK and follow remaining prompts

Wsock32.dll file exists within the Precopy1.cab cabinet file on the Windows CD-ROM.

Windows 95
WSOCK32.DLL can be found in the following CAB files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks

Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
- Insert your Windows 95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D: is your CD-ROM drive

Windows NT/2000
Rename the Wsock32.dll file in the Winnt\System32 folder to Wsock32.old.

For information about how to rename a file, click Start, click Help, click the Index tab, type renaming, and then double-click the ''Renaming files'' topic.

Click Start, point to Programs, and then click Command Prompt.

Type cd\, and then press ENTER.

Insert the Windows CD-ROM into the CD-ROM drive, and then close the Startup Screen if it appears.

Type the following line at the command prompt, and then press ENTER.

expand <drive>:\i386\wsock32.dl_ c:\<windows>\system32\wsock32.dll where <drive> is the drive letter assigned to your CD-ROM drive, and where <windows> is the name of the folder in which Windows is installed.

Type exit, and then press ENTER to return to Windows.

Additional Windows ME information:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

Variants