-Z- (z@gundam.com)
Wed, 20 Dec 2000 18:29:37 -0800

A number of members of this list have been hit with this, so here are the gory


Due to a recent increase in world-wide infections of this worm, the Symantec
Antivirus Research Center (SARC) has increased the threat level of this worm to
4 (Moderate).

W95.Hybris is a worm that spreads by email as an attachment to outgoing emails.
It was discovered in late September of 2000. Although very few reports of
infection were reported in October 2000 when the worm was discovered, the worm
is becoming more common in November and December.

The message may include the text "Snow White and the Seven dwarves" and the
attachment may have one of several different names, including, but not limited

anpo porn(.scr
branca de neve.scr
enano porno.exe
sexy virgin.scr

When the worm attachment is executed, the WSOCK32.DLL file will be modified.
This will give the worm the ability to attach itself to all outbound email. The
email attachment will have a random name but the filename extension is either

The worm attempts to connect to the newsgroup alt.comp.virus. After it connects
successfully, the worm uploads its own plug-ins in an encrypted form to this
newsgroup. It goes through the subject header of the messages, and tries to
match a specific format. The subject header will also specify the version
number of the attached plug-in if these plug-ins are indeed present. If a newer
version of plug-ins is found, the worm downloads these modules and updates its
behavior. For example, there are known modules that give the worm ability to
infect compressed files like ZIP.

If WSOCK32.DLL is being used by the system, the worm will be unable to modify
this file. Thus, in this situation, the worm will add a registry key to one of
the following subtrees:


It will always alternate between these two trees mentioned above as the worm
spreads from one machine to another. The worm hooks on the following exports on
WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email to a
person, the worm will also send out another email to the same person attaching a
copy of itself using a randomly generated filename.

To remove W95.Hybris, restore the original WSOCK32.DLL file. Other files
detected as W95.Hybris contain only the virus body and must be deleted. Norton
and McAfee AntiVirus will both repair the WSOCK32.DLL file automatically and
detect any other infected files, provided you're using a current set (late
November or early December) of virus definitions.

Email worms have recently eclipsed macro viruses as the most popular and
widespread vector of attack, so much so that Symantec has just instituted a new
naming convention. Email worms are now identified with "@m" in the virus name,
with "@mm" for those that propagate through mass mailing.

At least two members of this list have already been infected and came to me for
help. I've just given all of you the same information. It's not that much, but
it's the best I can do.


Gundam Mailing List Archives are available at http://gundam.aeug.org/

This archive was generated by hypermail 2.0b3 on Thu Dec 21 2000 - 11:29:56 JST