TUCoPS :: Malware :: al200011.txt

AusCERT Alert 2000.11 Hybris Worm



A  U  S  C  E  R  T                                           A  L  E  R  T
                        AL-2000.11  --  AUSCERT ALERT
                                 Hybris Worm
                              11 December 2000



	AusCERT has received increased numbers of reports of a new virus
	known as Hybris worm.  This worm has the ability to intercept data
	(including email) that is sent and received and scan it for email
	addresses.  The worm then propagates by modifying the WSOCK32.DLL
	file to allow it to attach itself to the intercepted email
	addresses. Hybris only runs on Win32 systems.

	When the virus propagates itself via e-mail, it uses variable
	subject lines which currently include such phrases as "Snowhite
	and the Seven Dwarfs - The REAL story!" and "Branca de Neve porn!"
	as well as listing Hahaha <hahaha@sexyfun.net> in the From: field.
	Currently, the worm is included in an attachment with various
	names including "sexy virgin.scr", "joke.exe", "midgets.scr",

	The behaviour and function of Hybris depends on plug-ins that are
	encrypted (believed to be 128-bit strength) in the body of the
	worm.  Hybris attempts to connect to the newsgroup alt.comp.virus
	to post its own plug-ins and download newer versions.  These
	uploadable and downloadable plug-in posts are intended for the
	running worms to update their behaviour.  Examples of the behaviour
	of some of the plug-ins are:
	 - Infecting all EXE files in ZIP and RAR archives; and 
	 - Propagating itself to remote machines compromised with the
	   SubSeven trojan.

	More detailed information regarding this virus, its impact,
	propagation and recovery can be found in the links in the
	Recommendations section.

	As is typical with this type of incident, there are generally
	numerous mutations of this worm for several weeks afterwards.
	This is particularly relevant given the ability of Hybris to
	download plug-ins to update itself, thus potentially allowing it
	to mutate into variants with new methods of spreading and avoiding
	detection.  AusCERT recommends a heightened state of awareness
	and caution with any e-mail attachments that are received in the
	next few weeks.

	AusCERT has received reports of infection among member sites and
	non-members within Australia and New Zealand.  We are issuing this
	warning to draw members' attention to the potential for increased
	activity in Australia and New Zealand.


	Mail servers may suffer increased load as the worm propagates
	making those servers unstable or unusable.  An infected
	organisation's profile may also be damaged due to the organisation
	being seen as one of the propagators of the worm.  In addition,
	the virus may modify or replace WINSOCK32.DLL and adds one of the
	following RunOnce registry keys:



	Impact to clients is dependent on the plug-in the worm has been
	updated with (see examples mentioned above).


	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or do not open any email messages or
	attachments that resemble those described above or in the following

        B. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:


	AusCERT is continuing to monitor this problem. 

- - ----------------------------------------------------------------------------
For more information contact please contact your anti-virus vendor.
- - ----------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
Australian Computer Emergency Response Team
The University of Queensland
Qld  4072

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key


Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH