W32/Hybris-B

Please follow the instructions for removing worms.

Windows NT/2000

To close the spiral in Windows NT/2000 press Ctrl-Alt-Del to access the Task Manager, select the relevant process and then click the "End Task" button. The
process will have a name consisting of 8 random characters, e.g. FHJENJXE. A file with this name (and a .EXE extension) will be in the Windows system directory. This should be deleted. Also, in the win.ini file, which can be found in the Windows directory, there will be a run= line that points to this EXE file. Delete the file name from that line.

Now remove any other worm files using the Windows NT instructions for removing worms.

Windows 95/98/Me

To close the spiral you will have to go into DOS mode and you will need SWEEP for DOS.

Either download the Emergency SAV distribution and unzip it, or create a folder 'Sophtemp' and copy the contents of the DOS folder on the CD into it.

a) On Windows 95/98

Go to the Start menu and select Shut Down. Choose the option "Restart the computer in DOS mode". Starting a Command Prompt (a DOS window) is not enough.

b) On Windows Me

You cannot go directly into MS-DOS mode in Windows Me. You must create a startup disk to boot from. At the Windows taskbar, select Start|Settings|Control Panel. Click on "Add/Remove Programs". Select the "Startup Disk" tab and press the "Create Disk" button. When you have created the startup disk, write-protect it. Place it in the A: drive and reboot to a command prompt.

At the DOS prompt type

C:
CD \
CD SOPHTEMP
SWEEP *: -REMOVEF

Say 'Yes' when prompted to delete a file (provided it is a W32/Hybris-B file). Make a note of its name.

Reboot to Windows.

In the win.ini file, which can be found in the Windows directory, there will be a run= line that points to the file that you deleted above. Delete the file name from that line.

W32/Hybris-B is a worm capable of updating its functionality over the internet.

It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography.

When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient.

Any other behaviour exhibited by the worm is entirely dependent on the set of installed components. The effects of components known to Sophos at the time of writing are described below.

The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed below.

Consequently the message can have any subject, any message text and any filename for the attached file.

A common component of the worm checks the language settings of the computer it has infected, and selects a message accordingly from:

English

Subject:
Snowhite and the Seven Dwarfs - The REAL story!

Message text:
polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

French

Subject:
aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez

Message text:
sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin...

Portuguese

Subject:
muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa.

Message text:
As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete anõezinhos tinham um estranho brilho no olhar...

Spanish

Subject:
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*

Message text:
sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...

The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen.

One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address.

The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install.

Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename.

There is a payload component, which on the 24th of September of any year, or at 59 minutes past the hour on any day in 2001, displays a large animated spiral in the middle of the screen which is difficult to close. Additionally, this payload will run on system startup.