Name: W32/Hybris-C
Type: Win32 worm
Detection: Will be detected by Sophos Anti-Virus February 2001 (3.42) or later. A virus identity (IDE) file is available for earlier versions from the Latest virus identities section.

Sophos has received several reports of this worm from the wild.

Sophos researchers have released an updated IDE file which detects a minor mutation of the virus.

Comments: W32/Hybris-C is a worm capable of updating its functionality over the internet.

It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography.

When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient.

Any other behaviour exhibited by the worm is entirely dependent on the set of installed components. The effects of components known to Sophos at the time of writing are described below.

The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed below.

Consequently the message can have any subject, any message text and any filename for the attached file.

A common component of the worm checks the language settings of the computer it has infected, and selects a message accordingly from:

English

Subject:
Snowhite and the Seven Dwarfs - The REAL story!

Message text:
polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

French

Subject:
aid� 'blanche neige' toutes ces ann�es apr�s qu'elle se soit enfuit de chez

Message text:
sa belle m�re, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentr�s du travail. Mais cette fois ils avaient un air coquin...

Portuguese

Subject:
muito feliz e ansiosa, porque os 7 an�es prometeram uma *grande* surpresa.

Message text:
As cinco horas, os an�ezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete an�ezinhos tinham um estranho brilho no olhar...

Spanish

Subject:
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*

Message text:
sorpresa para su fiesta de complea�os. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...

The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen.

One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address.

The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install.

Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename.

There is a payload component, which on the 24th of September of any year (which very ironically, is my BIRTHDAY!!!!!!!!), or at 1 minute to the hour at any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close.

------------------
"Keep your friends close and your enemies closer..."

quote:

---

Originally posted by blackhaus1:
If u went to the site you'd realize its a worm virus that is spread thru address books. I didn't visit any dirty sites thank you very much.

---

Just giving you a little crap...Sorry!