[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

[Strictly OT] Viruses - The more sophisticated they come ...

Yeah, I /know/ this is a LINUX list. But I am sure the techie in you would
have an interest  in the increasingly sophisticated nature  of viruses
coming in the large nowadays ... This virus has 128 bit encryption and
upgradeable components! Who knows when somebody wakes up and starts trying
out similar stuff in Linux ... and don't give me that it is not possible
.... ;)

- Sandip

----- Original Message -----
From: "Sophos Alert System" <listmaster@xxxxxxxxxx>
To: <Undisclosed recipients:>; <@mtnl.net.in>
Sent: Friday, August 03, 2001 10:40 PM
Subject: Sophos Anti-Virus IDE alert: W32/Hybris-F

> Name: W32/Hybris-F
> Type: Win32 worm
> Date: 3 August 2001
> Will be detected by Sophos Anti-Virus September 2001 (3.49) or
> later. A virus identity (IDE) file is available for earlier
> versions.
> At the time of writing Sophos has received just one report of
> this worm from the wild.
> Description:
> W32/Hybris-F is a worm capable of updating its functionality
> over the internet.
> It consists of a base part and a collection of upgradeable
> components. The components are stored within the worm body
> encrypted with 128-bit strong cryptography.
> When run, the worm infects WSOCK32.DLL. Whenever an email is
> sent, the worm attempts to send a copy of itself as an
> attachment to a separate message to the same recipient.
> Any other behaviour exhibited by the worm is entirely dependent
> on the set of installed components. The effects of components
> known to Sophos at the time of writing are described below.
> The text of the email message is determined by one of the
> installed components, and hence can be changed by the upgrading
> mechanism detailed below.
> Consequently the message can have any subject, any message text
> and any filename for the attached file.
> A common component of the worm checks the language settings of
> the computer it has infected, and selects a message accordingly
> from:
> English
> Subject:
> Snowhite and the Seven Dwarfs - The REAL story!
> Message text:
> polite with Snowhite. When they go out work at mornign, they
> promissed a *huge* surprise. Snowhite was anxious. Suddlently,
> the door open, and the Seven Dwarfs enter...
> French
> Subject:
> aidé 'blanche neige' toutes ces années après qu'elle se soit
> enfuit de chez
> Message text:
> sa belle mère, lui avaient promis une *grosse* surprise. A 5
> heures comme toujours, ils sont rentrés du travail. Mais cette
> fois ils avaient un air coquin...
> Portuguese
> Subject:
> muito feliz e ansiosa, porque os 7 anões prometeram uma
> *grande* surpresa.
> Message text:
> As cinco horas, os anõezinhos voltaram do trabalho. Mas algo
> nao estava bem... Os sete anõezinhos tinham um estranho brilho
> no olhar...
> Spanish
> Subject:
> siempre muy bien cuidada por los enanitos. Ellos le prometieron
> una *grande*
> Message text:
> sorpresa para su fiesta de compleaños. Al entardecer, llegaron.
> Tenian un brillo incomun en los ojos...
> The methods for upgrading the worm can also be changed as they
> are also upgradeable components. At the time of writing, two
> have been seen.
> One of the upgrading techniques attempts to download the
> encrypted components from a website which is presumably operated
> by the worm author. This website has since been disabled.
> However, this component could be upgraded to have a different
> web address.
> The other method involves posting its current plug-ins to the
> usenet newsgroup alt.comp.virus, and upgrading them from other
> posts by other infections of the worm. These are again in the
> encrypted form, and have a header with a four character
> identifier and a four character version number, in order for the
> worm to know which plug-ins to install.
> Another component of the worm searches the PC for .ZIP and .RAR
> archive files. When it finds one, it searches inside it for an
> .EXE file, which it renames to .EX$, and then adds a copy of
> itself to the archive using the original filename.
> There is a payload component, which on the 24th of September of
> any year, or at 1 minute to the hour on any day in the year
> 2001, displays a large animated spiral in the middle of the
> screen which is difficult to close.
> There is also a component that applies a simple polymorphic
> encryption to the worm before it gets sent by email. By
> upgrading this component the author is able to completely change
> the appearance of the worm in unpredictable ways in an attempt
> to defeat anti-virus products detecting it.