F-Secure Virus Descriptions : Hybris
Hybris is an Internet worm that spreads itself as an attachment
to email messages. The worm works under Win32 systems only. The
worm contains components (plugins) in its code that are executed
depending on what worm needs, and these components can be
upgraded from an Internet Web site. The major worm versions are
encrypted with semi-polymorphic encryption loop.
The worm contains the following encrypted text strings:
HYBRIS
(c) Vecna
The main worm's target on computes it tries to infect is the
WSOCK32.DLL library. While infecting this DLL the worm:
- writes itself to the end of last file section
- hooks "connect", "recv", "send" functions
- modifies DLL entry routine address (a routine that is activated
when DLL file is being loaded) and encrypts original entry
routine
If the worm is not able to infect WSOCK32.DLL at its startup (in
case it is in use and is locked for writing) the worm creates a
copy of this library (a copy of WSOCK32.DLL with random name),
infects it and writes "rename" instruction to WININIT.INI file.
As a result WSOCK32.DLL will be replaced with an infected one on
next Windows startup.
The worm also creates its copy with random name in Windows system
directory and registers it in RunOnce registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
{Default} = %WinSystem%\WormName
or
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
{Default} = %WinSystem%\WormName
where %WinSystem% is Windows system directory, and "WormName" is
random name, for example:
CCMBOIFM.EXE
LPHBNGAE.EXE
LFPCMOIF.EXE
There is only one possible reason to register additional worm
copy in "RunOnce" registry key: in case WSOCK32.DLL was not
infected on first worm run, and its infected copy was not created
because of some reason, the "RunOnce" worm copy will complete the
task on next Windows restart.
Being active the worm intercepts Windows function that establish
a network connection, including Internet. The worm intercepts
data that is sent and received, and scans it for email addresses.
When address(es) is detected, the worm waits for some time and
then sends an infected message to that address(es).
The worm functionality depends on the plugins that are stored in
a worm body encrypted with RSA-like strong crypto algorithm with
128 bits key. There are up to 32 plugins can be found in
different worm versions. These plugins perform different actions,
they can be updates from a Web page located at VietMedia.com
website.
The complete worm functionality depends only on its host that is
able to upgrade plugins from the Web page. The plugins are
encrypted with a RSA-like crypto too.
The worm also updates its plugins by using alt.comp.virus
newsgroup. The worm being active on a machine connects to a news
server (by using one of randomly selected servers - there are
more than 70 addresses in the list), converts its plugins to
newsgroup messages and post them there. Worm's messages have
random Subject, for example:
encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
text RFRE rebibmTCDOzGbCjSZ
where first four characters represent plugin "name" and following
four characters represent the encoded plugin "version". As well
as sending, the worm reads such messages from alt.comp.virus,
gets plugin "name" and "version" and compares with plugins that
are currently used by the worm. In case a newsgroup has a message
with higher plugin version, the worm extracts it and replaces
existing one.
The worm drops its plugins to disk as files in Windows sytem
directory. They also have random name, but the worm is able to
access them. The names may look as follows:
BIBGAHNH.IBG
DACMAPKO.ACM
GAFIBPFM.AFI
IMALADOL.MAL
MALADOLI.ALA
There are several different plugins known:
1. Infect all ZIP and RAR archives on all available drives from
C: till Z:. While infecting the worm renames EXE files in archive
with .EX$ extension and add its copy with .EXE extension to the
archive (companion method of infection).
2. Send messages with encoded plugins to "alt.comp.virus"
neewsgroup, and gets new plugins from there.
3. Spread virus to remote machines that have SubSeven backdoor
trojan installed. The plugin detects such machines on the net,
and by using SubSeven commands uploads worm copy to the machine
and spawns it in there.
4. Encrypt worm copies with polymorphic encryption loop before
sending the copy attached to email.
5. Affects DOS EXE and Windows PE EXE files. The worm affects
them so that they become worm droppers. When run, they drop
worm's EXE file to TEMP directory and execute it.
While affecting DOS EXE file the plugin adds dropper code and
worm body to the end of a file. These files are can be cured.
While affecting Windows PE EXE file the plugin overwrites file
code section (if is has enough size). The plugin doesn't touch
file header (including entry point address), and does not
increase file size. Moreover, it has a anti-CRC (chechsum)
routine that fill special data in plugin code so that file CRC
becomes the same for few common used CRC algorithms. That means,
that some integrity checkers will not detect changes in affected
files: the file length and file body CRC stay the same as on
clean file.
6. Depending on system date and time (on September 16 and 24, and
on 59 minute of each hour starting from 2001 - in known plugins)
the "spirale" effect is run. It looks like that:
7. Randomly select Subject, Message text and Attach name while
sending worm copies with email messages:
From:
Hahaha <hahaha@sexyfun.net>
Subjects:
Snowhite and the Seven Dwarfs - The REAL story!
Branca de Neve pornô!
Enanito si, pero con que pedazo!
Les 7 coquir nains
Message texts:
C'etait un jour avant son dix huitieme anniversaire. Les 7
nains, qui avaient aidé 'blanche neige' toutes ces années après
qu'elle se soit enfuit de chez sa belle mère, lui avaient promis
une *grosse* surprise. A 5 heures comme toujours, ils sont
rentrés du travail. Mais cette fois ils avaient un air coquin...
Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at
mornign, they promissed a *huge* surprise. Snowhite was anxious.
Suddlently, the door open, and the Seven Dwarfs enter...
Faltaba apenas un dia para su aniversario de de 18 años. Blanca
de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos
le prometieron una *grande* sorpresa para su fiesta de
compleaños. Al entardecer, llegaron. Tenian un brillo incomun en
los ojos...
Faltava apenas um dia para o seu aniversario de 18 anos. Branca
de Neve estava muito feliz e ansiosa, porque os 7 anões
prometeram uma *grande* surpresa. As cinco horas, os anõezinhos
voltaram do trabalho. Mas algo nao estava bem... Os sete
anõezinhos tinham um estranho brilho no olhar...
Attachment names:
enano.exe
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe
sexy virgin.scr
joke.exe
midgets.scr
dwarf4you.exe
blancheneige.exe
sexynain.scr
blanche.scr
nains.exe
branca de neve.scr
atchim.exe
dunga.scr
anão pornô.scr
As well as (depending on its plugin version) the message Subject
is a random combination of:
Anna + sex
Raquel Darian sexy
Xena hot
Xuxa hottest
Suzete cum
famous cumshot
celebrity rape horny
leather ... e.t.c.
Attachment names:
Anna.exe
Raquel Darian.exe
Xena.exe
Xuxa.exe
Suzete.exe
famous.exe
celebrity rape.exe
leather.exe
sex.exe
sexy.exe
hot.exe
hottest.exe
cum.exe
cumshot.exe
horny.exe
anal.exe
gay.exe
oral.exe
pleasure.exe
asian.exe
lesbians.exe
teens.exe
virgins.exe
boys.exe
girls.exe
SM.exe
sado.exe
cheerleader.exe
orgy.exe
black.exe
blonde.exe
sodomized.exe
hardcore.exe
slut.exe
doggy.exe
suck.exe
messy.exe
kinky.exe
fist-f*cking.exe
amateurs.exe
The worm can also send itself with a random, 8-letter name, for
example UKSJHHKW.EXE.
In some cases a worm can send itself attached to an empty
message. We also have reports that it can use the recepient's
mail server directly.
It is advised to excercise extreme caution when executable
attachments arrive in your inbox, no matter where they come from
and how 'trustworthy' a message looks.
Hybris can be successfully disinfected with a fresh version of
FSAV and the latest updates for it.
http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml
Note that Hybris file(s) might be locked while Windows is active
and older versions of FSAV for Windows might not be able to
remove it. In this case you can exit to DOS and remove Hybris
file(s) manually.
You can also use a free version of F-Prot for DOS to remove
Hybris from an infected system. It is a requirement to perform
disinfection from pure DOS.
ftp://ftp.europe.F-Secure.com/anti-virus/free/
ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/
Note: As Hybris has a plugin that infects EXE files, it is
advised to disinfect all infected files first and then to remove
all locked Hybris components manually.
[Eugene Kaspersky, KL; Alexey Podrezov, F-Secure Corp.; Nov 2000 - Jan 2001]
|
![](/images/pixel.gif"){kind=tracking}
