Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Hybris(hahaha, sexyfun): A Stealth Worm With Plug-ins

This virus/worm exists in several forms.

The oldest initial version is distributed as an attachment's) to the following e-mail message (can be in Spanish too): 

From: Hahaha <hahaha@sexyfun.net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...

The email will have one of several files attached looking like porno stuff.  The names joker.exe, sexy virgin.scr, midgits.scr, and dwarfs4me.exe are the most common (A lot of other filenames can be generated but are less common). 

Newer version of the virus tried to reply to the messages send to a particular mailbox. somethign this is really funny. Below is the message that virus send in resonce to the authomatic notification about virus infection by antivirus software. The deleted attachment has name  Me_nude.AVI.pif

Attachment does not contain any read file: it's just the virus executable code.  It has been spreading since Sept. 2001 all over the world. AV researchers suspect that Hybris was written in Brazil and is related to Babylonia -- the first of its kind in 1999. First discovered by Russian developers at Kaspersky Labs (Cambridge, U.K.) as having originated in South America, the Hybris worm start spreading in Sept 2000 and in the second half of  2001 is still one of the most common e-mail worm.

If the file is opened the virus will infect an unprotected computer, it will find all the email addresses on the computer to create a list, then it will send the same message, as above, to all the addresses in the list.  Upon execution, this worm can patch the WSOCK32.DLL file so that it can attach itself to email sent out from the infected computer. Once the worm patches the WSOCK32.DLL, it can monitor Internet activity, including the sending and receiving of email.  

That means that a user PC could be sending infected emails without the user knowledge.  All e-mails have face "From" address hahaha@sexyfun.net instead of real user e-mail address, so recipients won't see the infected machine return e-mail address so they won't know it came from this particular user.

This virus only affects computers running Windows. It will not infect any other operating systems like MacOS or Linux at this time. Those users using those operating systems that aren't affected can still receive the infected and those annoying messages, but will not be infected themselves and they won't infect others.

for the home users it's important to have some antivirus program installed (Norton Utilities are really cheap now and in addition to antivirus contain a lot of useful things like Disk Optimizer, etc.)

This virus has complex plug-in architecture and can mutate so not all strains can be detected on the e-mail gateway and users still can get them in thier mailboxes. While it currently carries a non-destructive payload, it has complex plug-in architecture that might be used to turn it into a destructive worm.

The true originality of Hybris -- and possibly its true danger -- lies in its plug-in architecture. Using a new architecture, the worm can connect to either the alt.comp.virus Usenet newsgroup or to a series of Web sites, and transparently download its own updates similar to Trojan horse programs. One effect of this self-upgrading model is that the worm's signature -- the appearance it presents to anti-virus programs -- can be altered in unpredictable ways, defeating anti-virus products that may only be able to detect its previously known signatures. And not only is Hybris' payload self-upgrading, but its own binary core components are, too, leaving no single element of the worm persistently traceable.

"What we have here is perhaps the most complex and refined malicious code in the history of virus writing," said Eugene Kaspersky, Head of Kaspersky Labs' Anti-Virus Research Center, in a statement on the company's site. "It is defined by an extremely complex style of programming and all the plugins are encrypted with very strong RSA 128-bit crypto-algorithm key. The components themselves give the virus writer the possibility to modify his creation 'in real time,' and in fact allow him to control infected computers worldwide."

"The architecture of the plug-in approach is interesting, and it makes it possible for a programmer to turn it into a dangerous virus. New threats like this are going to promote changes in the work to fight viruses. These kinds of threats are an evolutionary pressure on AV technology."

In its original version, Hybris distributed itself as an e-mail attachment; however, recent reports indicate that it can also distribute itself using ICQ, an instant messaging platform used by over 30 million people. The worm infects the Windows Internet sockets library file WSOCK32.DLL, enabling it to control users' Internet connections and intercept e-mail addresses of incoming messages using a method similar to that employed by the MTX virus. Once it has obtained an address, Hybris automatically sends itself to the next computer.

Surprisingly, Hybris can also modify the WSOCK32.DLL even if it has been write-protected. In such a case, Hybris makes a copy of WSOCK32.DLL, infects that copy, and then writes the name of the infected copy in the WIN.INI initialization file. The next time Windows is rebooted, the system recognizes the infected library rather than WSOCK32.DLL. The worm ensures its persistence by making a copy of itself with a random name, then writing an entry pointing to this copy in the Windows System Registry -- specifically in the Run_Once Registry key. This way, Hybris can recopy itself even if its original copy is erased.

To date, all the plug-ins observed in the virus newsgroups have utilized a strong encryption algorithm.

So even though they're being posted out in the open, it isn't clear what these plug-ins will do until after it's been done. The following behavior, however, is known: One of Hybris' components searches local hard drives for .ZIP and .RAR archive files. When it finds one, Hybris searches inside that file for an .EXE filename. It then renames that file with an .EX$ extension, and then adds a copy of itself to the archive using the .EXE filename.

Another Hybris component actually uploads infected files from users' hard drives to the alt.comp.virus newsgroup. This same component also grabs e-mail addresses from the headers of messages posted to newsgroups to which the user subscribes, and sends copies of itself to those e-mail addresses as attachments. Over the past few weeks, this seems to have increasingly become the way by which the worm is propagating.

The only observed, known danger attributed to Hybris is a payload component which, on the 24th of September of any year, or at one minute before the hour during any day in the year 2001, displays a large animated spiral in the middle of the screen that is difficult to close.

At the same time the plug-ins can't work without the base executable and most AV programs are able to detect the base executable file. The morphing nature of the virus could spawn several new versions.

Webliography

Antivirus vendors

Symantec Update Page Write-up	AVP Update Page Write-up	F-Prot Update Page Write-up
McAfee Update Page *Write-up	PC-Cillin Update Page Write-up	Sophos Update Page Write-up

 

SANS Institute Paper on Hybris Virus

Hybris – Stealth Worm and Trojan with Plug-ins

W95.Hybris Virus AKA Snow White and The Seven Dwarfs