Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Hybris

Win32/Hybris is an email worm with a special feature that allows it to modify its properties by means of supplementary modules – plugins, which it can get by means of Internet.  It spreads in the form of an email file attachment with a random name and with extensions either EXE or SCR.  After it is run the worm tries to infect the file WSOCK32.DLL.  If the library is in use the infection will not take place.  The worm ensures its activation by creating a key in the system registry.  The key may be either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
By attacking WSOCK32.DLL the worm gets access to functions for sending and receiving mail and establishing network connection.  By means of those functions the worm tries to get email addresses and send its copies to them.  After sending email, for example to the address niekto@nikde.uplne.inde a couple of minutes later the worm sends to the same address another email with its copy in attachment.  This worm further develops the recently widespread technology of upgrading computer infiltrations by means of Internet.  With help of plugins the worm Win32/Hybris can significantly alter its qualities.  It can get plugins by means of Usenet from news servers (protocol nntp) and also by means of http protocol (serves for viewing web pages).  One of the plugins caused flooding of anti-virus conference alt.comp.virus, when for example on December 9th 2000 the worm sent to the conference 444 messages with subjects like:

text DFDE DefefSzKHmDCbqvyreHuraLqHSnyPmvKnWjKbSHqrOTqzGU
text JJJI jiXyzWXaTijyHSbKXOXqPyU
encr XJWH WHqzafqzWvubWDunyHOjWLaTWzCfqXenenmrGfCvuB
encr SORM rmzODGXqzGnmjWZ

A message with one of these or a similar subject contains the worm body encrypted by a variant of the algorithm RSA.  The first four characters are actually a "name" of the plugin, then a space follows and then four characters specifying the "version".  The string that follows is constant for each of the versions.  Furthermore the message contains the encrypted plugin code enclosed by characters "****".  The worm checks its plugins, if it finds a higher plugin version than is the one it currently contains it substitutes the original version by the new one.  Other plugins add RAR and ZIP type archives infection, infection of PE files, polymorphism, random selection of the subject and name of the file of the email, graphical spiral effect and infecting computers with installed Trojan SubSeven.
In the worm body are the following texts:

Software\Microsoft\Windows\CurrentVersion\RunOn

and

(c) Vecna

The worm is equipped with plugins authorisation mechanism which ensures that only modules certified by the worm author will be used.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.