Threat Description

Hybris

Details

Aliases:Hybris, IWorm_Hybris, I-Worm.Hybris, Snow White, SnowWhite, SnoWhite
Category:Malware
Type:Worm
Platform:W32

Summary



Hybris is an Internet worm that spreads itself as an attachment to email messages. The worm works under Win32 systems only. The worm contains components (plugins) in its code that are executed depending on what worm needs, and these components can be upgraded from an Internet Web site. The major worm versions are encrypted with semi-polymorphic encryption loop.



Removal



Hybris can be successfully disinfected with a fresh version of FSAV and the latest updates for it.

http://www.europe.f-secure.com/download-purchase/http://www.europe.f-secure.com/download-purchase/updates.shtml

Note that Hybris file(s) might be locked while Windows is active and older versions of FSAV for Windows might not be able to remove it. In this case you can exit to DOS and remove Hybris file(s) manually.

You can also use a free version of F-Prot for DOS to remove Hybris from an infected system. It is a requirement to perform disinfection from pure DOS.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

Note: As Hybris has a plugin that infects EXE files, it is advised to disinfect all infected files first and then to remove all locked Hybris components manually.



Technical Details



The worm contains the following encrypted text strings:

HYBRIS
 (c) Vecna

The main worm's target on computes it tries to infect is the WSOCK32.DLL library. While infecting this DLL the worm:

- writes itself to the end of last file section - hooks "connect", "recv", "send" functions - modifies DLL entry routine address (a routine that is activated

when DLL file is being loaded) and encrypts original entry
  routine

If the worm is not able to infect WSOCK32.DLL at its startup (in case it is in use and is locked for writing) the worm creates a copy of this library (a copy of WSOCK32.DLL with random name), infects it and writes "rename" instruction to WININIT.INI file. As a result WSOCK32.DLL will be replaced with an infected one on next Windows startup.

The worm also creates its copy with random name in Windows system directory and registers it in RunOnce registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  {Default} = %WinSystem%\WormName

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  {Default} = %WinSystem%\WormName

where %WinSystem% is Windows system directory, and "WormName" is random name, for example:

CCMBOIFM.EXE
 LPHBNGAE.EXE
 LFPCMOIF.EXE

There is only one possible reason to register additional worm copy in "RunOnce" registry key: in case WSOCK32.DLL was not infected on first worm run, and its infected copy was not created because of some reason, the "RunOnce" worm copy will complete the task on next Windows restart.

Being active the worm intercepts Windows function that establish a network connection, including Internet. The worm intercepts data that is sent and received, and scans it for email addresses. When address(es) is detected, the worm waits for some time and then sends an infected message to that address(es).

The worm functionality depends on the plugins that are stored in a worm body encrypted with RSA-like strong crypto algorithm with 128 bits key. There are up to 32 plugins can be found in different worm versions. These plugins perform different actions, they can be updates from a Web page located at VietMedia.com website.

The complete worm functionality depends only on its host that is able to upgrade plugins from the Web page. The plugins are encrypted with a RSA-like crypto too.

The worm also updates its plugins by using alt.comp.virus newsgroup. The worm being active on a machine connects to a news server (by using one of randomly selected servers - there are more than 70 addresses in the list), converts its plugins to newsgroup messages and post them there. Worm's messages have random Subject, for example:

encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
 encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
 text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
 text RFRE rebibmTCDOzGbCjSZ

where first four characters represent plugin "name" and following four characters represent the encoded plugin "version". As well as sending, the worm reads such messages from alt.comp.virus, gets plugin "name" and "version" and compares with plugins that are currently used by the worm. In case a newsgroup has a message with higher plugin version, the worm extracts it and replaces existing one.

The worm drops its plugins to disk as files in Windows sytem directory. They also have random name, but the worm is able to access them. The names may look as follows:

BIBGAHNH.IBG
 DACMAPKO.ACM
 GAFIBPFM.AFI
 IMALADOL.MAL
 MALADOLI.ALA

There are several different plugins known:

1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting the worm renames EXE files in archive with .EX$ extension and add its copy with .EXE extension to the archive (companion method of infection).

2. Send messages with encoded plugins to "alt.comp.virus" neewsgroup, and gets new plugins from there.

3. Spread virus to remote machines that have SubSeven backdoor trojan installed. The plugin detects such machines on the net, and by using SubSeven commands uploads worm copy to the machine and spawns it in there.

4. Encrypt worm copies with polymorphic encryption loop before sending the copy attached to email.

5. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become worm droppers. When run, they drop worm's EXE file to TEMP directory and execute it.

While affecting DOS EXE file the plugin adds dropper code and worm body to the end of a file. These files are can be cured.

While affecting Windows PE EXE file the plugin overwrites file code section (if is has enough size). The plugin doesn't touch file header (including entry point address), and does not increase file size. Moreover, it has a anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected files: the file length and file body CRC stay the same as on clean file.

6. Depending on system date and time (on September 16 and 24, and on 59 minute of each hour starting from 2001 - in known plugins) the "spirale" effect is run. It looks like that:

7. Randomly select Subject, Message text and Attach name while sending worm copies with email messages:

From:

Hahaha <hahaha@sexyfun.net>

Subjects:

Snowhite and the Seven Dwarfs - The REAL story!
  Branca de Neve porn'!
  Enanito si, pero con que pedazo!
  Les 7 coquir nains

Message texts:

C'etait un jour avant son dix huitieme anniversaire. Les 7
 nains, qui avaient aide 'blanche neige' toutes ces annees apr-s
 qu'elle se soit enfuit de chez sa belle m-re, lui avaient promis
 une *grosse* surprise. A 5 heures comme toujours, ils sont
 rentres du travail. Mais cette fois ils avaient un air coquin...
 Today, Snowhite was turning 18. The 7 Dwarfs always where very
 educated and polite with Snowhite. When they go out work at
 mornign, they promissed a *huge* surprise. Snowhite was anxious.
 Suddlently, the door open, and the Seven Dwarfs enter...
 Faltaba apenas un dia para su aniversario de de 18 a±os. Blanca
 de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos
 le prometieron una *grande* sorpresa para su fiesta de
 complea±os. Al entardecer, llegaron. Tenian un brillo incomun en
 los ojos...
 Faltava apenas um dia para o seu aniversario de 18 anos. Branca
 de Neve estava muito feliz e ansiosa, porque os 7 anµes
 prometeram uma *grande* surpresa. As cinco horas, os anµezinhos
 voltaram do trabalho. Mas algo nao estava bem... Os sete
 anµezinhos tinham um estranho brilho no olhar...

Attachment names:

enano.exe
 enano porno.exe
 blanca de nieve.scr
 enanito fisgon.exe
 sexy virgin.scr
 joke.exe
 midgets.scr
 dwarf4you.exe
 blancheneige.exe
 sexynain.scr
 blanche.scr
 nains.exe
 branca de neve.scr
 atchim.exe
 dunga.scr
 an£o porn'.scr

As well as (depending on its plugin version) the message Subject is a random combination of:

Anna +  sex
 Raquel Darian sexy
 Xena hot
 Xuxa hottest
 Suzete  cum
 famous  cumshot
 celebrity rapehorny
 leather ... e.t.c.

Attachment names:

Anna.exe
 Raquel Darian.exe
 Xena.exe
 Xuxa.exe
 Suzete.exe
 famous.exe
 celebrity rape.exe
 leather.exe
 sex.exe
 sexy.exe
 hot.exe
 hottest.exe
 cum.exe
 cumshot.exe
 horny.exe
 anal.exe
 gay.exe
 oral.exe
 pleasure.exe
 asian.exe
 lesbians.exe
 teens.exe
 virgins.exe
 boys.exe
 girls.exe
 SM.exe
 sado.exe
 cheerleader.exe
 orgy.exe
 black.exe
 blonde.exe
 sodomized.exe
 hardcore.exe
 slut.exe
 doggy.exe
 suck.exe
 messy.exe
 kinky.exe
 fist-f*cking.exe
 amateurs.exe

The worm can also send itself with a random, 8-letter name, for example UKSJHHKW.EXE.

In some cases a worm can send itself attached to an empty message. We also have reports that it can use the recepient's mail server directly.

It is advised to excercise extreme caution when executable attachments arrive in your inbox, no matter where they come from and how 'trustworthy' a message looks.





Technical Details: Eugene Kaspersky, KL; Alexey Podrezov, F-Secure Corp.; Nov 2000 - Jan 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More