Franz Co (ms_slasher@mail.com)
Thu, 21 Dec 2000 07:10:27 -0500 (EST)


Thanks. We'll all be wary of such.

------Original Message------
From: "-Z-" <z@gundam.com>
To: <gundam@aeug.org>
Sent: December 21, 2000 2:29:37 AM GMT
Subject: [gundam] "Snow White" Hybris.Gen Update

A number of members of this list have been hit with this, so here are the
gory
details.

W95.Hybris.Gen

Due to a recent increase in world-wide infections of this worm, the Symantec
Antivirus Research Center (SARC) has increased the threat level of this worm
to
4 (Moderate).

W95.Hybris is a worm that spreads by email as an attachment to outgoing
emails.
It was discovered in late September of 2000. Although very few reports of
infection were reported in October 2000 when the worm was discovered, the
worm
is becoming more common in November and December.

The message may include the text "Snow White and the Seven dwarves" and the
attachment may have one of several different names, including, but not
limited
to:

anpo porn(.scr
atchim.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enano porno.exe
joke.exe
midgets.scr
sexy virgin.scr

When the worm attachment is executed, the WSOCK32.DLL file will be modified.
This will give the worm the ability to attach itself to all outbound email.
The
email attachment will have a random name but the filename extension is
either
EXE or SCR.

The worm attempts to connect to the newsgroup alt.comp.virus. After it
connects
successfully, the worm uploads its own plug-ins in an encrypted form to this
newsgroup. It goes through the subject header of the messages, and tries to
match a specific format. The subject header will also specify the version
number of the attached plug-in if these plug-ins are indeed present. If a
newer
version of plug-ins is found, the worm downloads these modules and updates
its
behavior. For example, there are known modules that give the worm ability
to
infect compressed files like ZIP.

If WSOCK32.DLL is being used by the system, the worm will be unable to
modify
this file. Thus, in this situation, the worm will add a registry key to one
of
the following subtrees:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce

It will always alternate between these two trees mentioned above as the worm
spreads from one machine to another. The worm hooks on the following
exports on
WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an email
to a
person, the worm will also send out another email to the same person
attaching a
copy of itself using a randomly generated filename.

To remove W95.Hybris, restore the original WSOCK32.DLL file. Other files
detected as W95.Hybris contain only the virus body and must be deleted.
Norton
and McAfee AntiVirus will both repair the WSOCK32.DLL file automatically and
detect any other infected files, provided you're using a current set (late
November or early December) of virus definitions.

Email worms have recently eclipsed macro viruses as the most popular and
widespread vector of attack, so much so that Symantec has just instituted a
new
naming convention. Email worms are now identified with "@m" in the virus
name,
with "@mm" for those that propagate through mass mailing.

At least two members of this list have already been infected and came to me
for
help. I've just given all of you the same information. It's not that much,
but
it's the best I can do.

-Z-

-
Gundam Mailing List Archives are available at http://gundam.aeug.org/

____________________________________________________________________________
Shop through Barnes and Nobles
http://bn.bfast.com/booklink/click?sourceid=32079226&categoryid=h
help me earn cash too.

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

-
Gundam Mailing List Archives are available at http://gundam.aeug.org/



This archive was generated by hypermail 2.0b3 on Thu Dec 21 2000 - 21:10:45 JST