Subject: Virus alert and such..
Date: Fri, 05 Jan 2001 01:05:18 +1100
From: ***
To: ***Oi,
I figure you can all work this out for yourselves and that it's prolly rather old, everthing considered.. But -I- only just received it, and I know a friend of mine was going to send it around.. So.. take a look below.
Emails may arrive from an INFECTED user in this format:
From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file
(Found all this at http://vil.nai.com/villib/dispvirus.asp?virus_k=98873,
thanks to MrC. )
Virus Name
W32/Hybris.gen@M
Aliases
dwarf4you.exe
Hybris
I-Worm.Hybris
I-Worm.Hybris.b
Snowhite and the Seven Dwarfs
TROJ_HYBRIS.A
W32/Hybris.gen.dll@M
W32/Hybris.plugin@M
W95.Hybris.Gen.dr
W95/Hybris.worm
Win98.Vecna.23040
Variants
None
Description Added
11/1/00 2:37:27 PM
Virus Information
Discovery Date: 10/16/00
Origin: South America
Length: 25,088 bytes
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Minimum Engine: 4.0.50
Minimum Dat: 4101
DAT Release Date: 10/25/2000
Virus Characteristics
Update January 7, 2000:
Some infected users have mentioned witnessing a graphic of a "spiral" activated and cannot be closed or stopped. This spiral graphic is associated with one of the plugins for W32/Hybris and is launched by this Internet worm periodically. In order to close the spiral, a task or process manager tool must be used.
This is an Internet worm which can be received by email. Typically these messages will make reference to, "Snowhite and the Seven Dwarfs". If run, this worm modifies the WSOCK32.DLL file, after which, an attempt is made to mail a copy of the worm to all mail recipients whenever email messages are sent out.
AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.
This Internet worm downloads encrypted update components from an Internet web site, most likely it is the author's site. This worm downloads encrypted components similar to the method first used by W95/Babylonia.
Emails may arrive from an infected user in this format:
From: Hahaha [[email protected]]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: executable file
Symptoms
Mail recipients claiming they received an attachment from you when one was never sent
Method Of Infection
When this Internet worm is launched, it downloads a file named INDEX.TXT from the hosting site. This file contains a list of additional files that the worm is to also download for use. On November 13 2000, the site was still operational and contained the following update component files:
HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
As of November 20, 2000, the site hosting the virus was taken down, however, the virus continues to download plugins from alt.comp.virus.
As of November 21, 2000, a new plugin is being distributed that will enable W32/Hybris to infect PE files in a non-repairable way. The 4108 DAT set is
required to detect these infected files.
Executing the worm writes a modified version of the WSOCK32.DLL file to the WINDOWS SYSTEM directory. This file goes by an extensionless filename made up of 8 random characters. A line is created in the WININIT.INI file to rename this, newly created, file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system
is booted. The modified WSOCK32.DLL file attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to all mail recipients whenever email messages are sent out.
This Internet worm posts update details to a newsgroup named alt.comp.virus. The message posts is a communication message to the running Internet worm on
hosts to perform self-updates.
The format of the newsgroup posted message is as follows:
anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: [email protected]
From:
Author-Address: anonymous anon lcs mit edu
Subject: http [44 character alpha code]
Mail-To-News-Contact: [email protected]
Organization: [email protected]
Newsgroups: alt.comp.virus
Lines: 46
KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****
Removal Instructions
Use specified engine and DAT files for detection and removal.
The WSOCK32.DLL file must be restored from backup. This can be done by:
Windows 98
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the
Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts
Windows95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM Where D:
is your CD-ROM drive