W32/Hybris-F

Category: Viruses and Spyware Protection available since:21 Nov 2000 00:00:00 (GMT)
Type: Win32 worm Last Updated:21 Nov 2000 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed


W32/Hybris-F is a worm capable of updating its functionality over the internet.

It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography.

When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient.

Any other behaviour exhibited by the worm is entirely dependent on the set of installed components. The effects of components known to Sophos at the time of writing are described below.

The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed below.

Consequently the message can have any subject, any message text and any filename for the attached file.

A common component of the worm checks the language settings of the computer it has infected, and selects a message accordingly from:

English

Subject:
Snowhite and the Seven Dwarfs - The REAL story!

Message text:
polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

French

Subject:
aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez

Message text:
sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin...

Portuguese

Subject:
muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa.

Message text:
As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete anõezinhos tinham um estranho brilho no olhar...

Spanish

Subject:
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*

Message text:
sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...

The methods for upgrading the worm can also be changed as they are also upgradeable components. At the time of writing, two have been seen.

One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address.

The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install.

Another component of the worm searches the PC for .ZIP and .RAR archive files. When it finds one, it searches inside it for an .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename.

There is a payload component, which on the 24th of September of any year, or at 1 minute to the hour on any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close.

Image of large animated spiral.

There is also a component that applies a simple polymorphic encryption to the worm before it gets sent by email. By upgrading this component the author is able to completely change the appearance of the worm in unpredictable ways in an attempt to defeat anti-virus products detecting it.

download Try Sophos products for free
Download now