================================================ Subject: Re: NCR: Virus Proven True (NAV scanned it) any info about it? From: "DebbiR" To: Date: Fri 20 Jul 2001 15:46:06 -0700 ================================================ Yep... Looking at the headers, yahoo.com held this message for 4 days. Maybe all the yahoo mail gates will flood now! -----Original Message----- From: Creed Discussion List [mailto:CREED-DISCUSS@WINDUPLIST.COM] On Behalf Of ]\[][G}{T§TÖ®]v[ Sent: Monday, July 16, 2001 3:07 PM To: CREED-DISCUSS@WINDUPLIST.COM Subject: Re: NCR: Virus Proven True (NAV scanned it), any info about it? Hell... that makes life a WHOLE lot easier. Here's the URL. I also included the other variation of the virus... http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBR IS.J TROJ_HYBRIS.J Risk rating: Low Virus type: Trojan Destructive: N Aliases: W32/Hybris.gen@MM, W32/Hybris-C, W95/Hybris.worm.D, W95.Hybris.worm, I-Worm.Hybris.g, TROJ_HYBRIS.A, HYBRIS.J Description: This encrypted Trojan is a variant of TROJ_HYBRIS.A. It does not have a destructive payload. Details: TROJ_HYBRIS.E is an encrypted variant of TROJ_HYBRIS.A which seems to be non-working or unfinished version of the Trojan. When run, this trojan modifies the WSOCK32.DLL in windows system folder. The infected WSOCK32.DLL is detected by Trend antivirus as TROJ_HYBRIS.DLL. After it modifies WSOCK32.DLL, it does not employ any other activity on the infected machine. This Trojan does not have a destructive payload. ******************************************* http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBR IS.A TROJ_HYBRIS.A Risk rating: Low Virus type: Trojan Destructive: N Aliases: Snow White, I-Worm.Hybris, W32/Hybris@M, Win32.Hybris.Gen, TROJ_HYBRIS.A, TROJ_HYBRIS.D, TROJ_HYBRIS.B, TROJ_HYBRIS.C, TROJ_HYBRIS.E, TROJ_HYBRIS.GEN, TROJ_HYBRIS.DLL, TROJ_HYBRIS.PX Description: This semi-polymorphic worm propagates via email and may also spread through Newsgroup postings. It does not have any destructive payloads. However, it has several known plug-ins that maybe upgraded to make it malicious. Upon execution, this worm monitors Internet access from the infected computer, as well as email sent and received. Once it detects Internet connection, it sends an additional email to all addresses that infected user sent email to after the worm was executed. This email has a copy of the worm as an attachment. The filename of the attachment is selected randomly depending upon the system default language of the infected computer. Details: Upon execution, this Trojan attempts to patch WSOCK32.DLL. Since WSOCK32.DLL is in use, the Trojan cannot directly patch it and drops a copy of itself in the Windows system directort. In addition, it adds a reference to itself in the Autorun key of the system registry: //HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/ CurrentVersion/RunOnce (Default) = %systemdir%\TrojanName Where "%systemdir%" is the Windows System directory, and "TrojanName" is the name of the dropped file. This enables the Trojan to run at every Windows start up. When the system is restarted, the Trojan tries again to patch WSOCK32.DLL's connect( ), send( ), and recv( ) functions to allow it to monitor Internet access as well as the sending and receiving of emails. To avoid detection, the Trojan modifies WININIT.INI so that its copy in the Windows System directory is deleted: NUL = %systemdir%\TrojanName Due to this, the copy of the Trojan in the Windows System directory is deleted. In addition to this, the Trojan also extracts the current plug-ins in the Windows System directory with randomly generated filenames. A few examples are: OLIMALAD.LIM DOLIMALA.OLI PKODACMA.KOD Then the Trojan spreads via its own SMTP engine. A sample of the email it sends out are: From: Hahaha hahaha@sexyfun.net Depending upon the Default Language Identifier of the infected system, the Trojan generates the following fields of the email: Subject in English:Snowhite and the Seven Dwarfs - The REAL story! Subject for French : Les 7 coquir nains Attachments in English: sexy virgin.scr, joke.exe, midgets.scr or dwarf4you.exe Attachments in French: blancheneige.exe, sexynain.scr, blanche.scr or nains.exe Message Body in English: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... Message Body in French: C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui avaient aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin. If the language of the system is not English, Portugese, French or Spanish, the email sent out does not have any subject or message body, only an attachment with a randomly generated filename. In addition to sending email, there are known plug-ins of this Trojan, which may be downloaded from a certain website. These plug-ins are known to be malicious. The plug-in filenames are: HTTP.DAT, NEWS.DAT, AVINET.DAT, ENCR.DAT, PR0N.DAT, SPIRALE.DAT , SUB7.DAT, AND DOSEXE.DAT. The Trojan body also contains the following text: HYBRIS (c) Vecna; encrypted Variant Information: TROJ_HYBRIS.B does not utilize the RUNONCE registry key. Instead, it uses the WININIT.INI to replace the WSOCK32.DLL with its own copy. The dropped file has no extension, is randomly generated and automatically destroyed itself. Sample filenames are: JKCLNCKPF or LPHBNGAE In the cases TROJ_HYBRIS.C, TROJ_HYBRIS.F, TROJ_HYBRIS.D, TROJ_HYBRIS.E and TROJ_HYBRIS.GEN, the main Trojan body is encrypted. The size of this encrypted body varies from variant to variant, as does the size of WSOCK32.DLL. In addition, TROJ_HYBRIS.D uses TMP as a filename. To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp