WORM_HYBRIS.B - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_HYBRIS.B

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W95.Hybris.worm(Symantec), W32/Hybris-B(Sophos), Email-Worm.Win32.Hybris.b(Kaspersky), W95/Hybris.Gen.1(Avira), W32/Hybris.gen@MM(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 9x/ME

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		Medium

Description:
This semi-polymorphic, non-memory resident worm propagates via email using its own SMTP engine. It monitors all outgoing mail by replacing the file, WSOCK32.DLL with its patched copy, from where it obtains its recipients. Then it sleeps for a random period of time, after which it sends out an email message to the obtained list of recipients with the following characteristics:

From: Hahaha
Subject: <depending on the Default Language Identifier of the system, it generates the following message headers>

Snowhite and the Seven Dwarfs - The REAL story! (English languge)

Les 7 coquir nains (French language)

Branca de Neve porn�! (Portuguese language)

Enanito si, pero con que pedazo! (Spanish language)

Message Body:

(English language)
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

(French language)
C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui avaient aid� 'blanche neige' toutes ces ann�es apr�s qu'elle se soit enfuit de chez sa belle m�re, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentr�s du travail. Mais cette fois ils avaient un air coquin...

(Portuguese language)
Faltava apenas um dia para o seu aniversario de 18 anos. Branca de Neve estava muito feliz e ansiosa, porque os 7 an�es prometeram uma *grande* surpresa. As cinco horas, os an�ezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete an�ezinhos tinham um estranho brilho no olhar...

(Spanish language)
Faltaba apenas un dia para su aniversario de de 18 a�os. Blanca de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* sorpresa para su fiesta de complea�os. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...

Attachment:

sexy virgin.scr (English language)
joke.exe
midgets.scr
dwarf4you.exe

blancheneige.exe (French language)
sexynain.scr
blanche.scr
nains.exe

branca de neve.scr (Portuguese language)
atchim.exe
dunga.scr
an�o porn�.scr

enano.exe (Spanish language)
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe

Note: If the default language is not one of the languages stated above, the worm sends out an email message with a blank subject, and message body along with an attachment using a randomly generated 8-letter name.

This worm also replaces WSOCK32.DLL with a patched copy for its mailing routine and works on Windows 95, 98, and ME systems.

It is also encrypted by using a semi-polymorphic encryption loop routine.

The worm body contains the following text:

HYBRIS
(c) Vecna

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 22, 2000 8:10:35 AM GMT -0800
Description updated: Aug. 12, 2002 9:38:33 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.