high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
Windows NT/2000/XP
To close the spiral in Windows NT/2000/XP press Ctrl-Alt-Del to access the Task Manager, select the relevant process and then click the "End Task" button. The process will have a name consisting of eight random characters, e.g. FHJENJXE. A file with this name (and a .EXE extension) will be in the Windows system directory. This should be deleted.
Now remove any other worm files using the Windows NT/2000/XP instructions for removing worms.
You will need to replace WSOCK32.DLL. Copy it from your original installation media or a clean computer.
Windows 95/98/Me
To close the spiral you will have to go into DOS mode and you will need SWEEP for DOS.
Either download the Emergency SAV distribution and unzip it, or create a folder 'Sophtemp' and copy the contents of the DOS folder on the CD into it.
a) On Windows 95/98
Go to the Start menu and select Shut Down. Choose the option "Restart the computer in DOS mode". Starting a Command Prompt (a DOS window) is not enough.
b) On Windows Me
You cannot go directly into MS-DOS mode in Windows Me. You must create a startup disk to boot from. At the Windows taskbar, select Start|Settings|Control Panel. Click on "Add/Remove Programs". Select the "Startup Disk" tab and press the "Create Disk" button. When you have created the startup disk, write-protect it. Place it in the A: drive and reboot to a command prompt.
At the DOS prompt type
C:
CD \
CD SOPHTEMP
SWEEP *: -REMOVEF
Say 'Yes' when prompted to delete a file (provided it is a W32/Hybris-H file). Make a note of its name.
Reboot to Windows.
You will need to replace WSOCK32.DLL. Copy it from your original installation media or a clean computer.
Other platforms
Please follow the instructions for removing worms.
More Information
W32/Hybris-C is a worm capable of updating its functionality over the internet.
It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography.
When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient.
Any other behaviour exhibited by the worm is entirely dependent on the set of installed components. The effects of components known to Sophos at the time of writing are described below.
The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed below.
Consequently the message can have any subject, any message text and any filename for the attached file.
A common component of the worm checks the language settings of the computer it has infected, and selects a message accordingly from:
English
Subject:
Snowhite and the Seven Dwarfs - The REAL story!
Message text:
polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
French
Subject:
aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez
Message text:
sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin...
Portuguese
Subject:
muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa.
Message text:
As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete anõezinhos tinham um estranho brilho no olhar...
Spanish
Subject:
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
Message text:
sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...
The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen.
One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address.
The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install.
Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename.
There is a payload component, which on the 24th of September of any year, or at 1 minute to the hour at any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close.
There is also a component that applies a simple polymorphic encryption to the worm before it gets sent by email. By upgrading this component the author is able to completely change the appearance of the worm in unpredictable ways in an attempt to defeat anti-virus products detecting it.
|
