[Esa-l] Might want to add .scr to poisoned list

[Seth Cohn]

Hybris hides as an .scr file...

http://www.symantec.com/avcenter/venc/data/w32.hybris.gen.html


 Discovered on: September 25, 2000
 Last Updated on: November 16, 2000 0 9:54:12 AM PST


 W32.Hybris is worm that spreads by email as an attachment to outgoing
emails. It was
 discovered in late September of 2000. Although minimum reports of
infection were reported in
 October 2000, the worm started to become common in early Nov 2000. 

 Also known as: W32.Hybris.22528.dr, W32/Hybris.gen at M, I-Worm.Hybris 

 Category: Worm

 Virus definitions: September 25, 2000

 Threat assessment: 


 Wild: 
 Medium 
 Damage: 
 Low 
 Distribution: 
 High 

  

 Wild 

 Number of infections: 50-999 
 Number of sites: More than 10 
 Geographical distribution: Medium 
 Threat containment: Moderate 
 Removal: Moderate 

 Distribution 

 Name of attachment: Random with EXE or SCR file name extension 

 Technical description: 

 When the worm attachment is executed, the WSOCK32.DLL file will be
modified or replaced. This
 will give the worm the ability to attach itself to all outbound
email. The email attachment will have
 a random name but the filename extension is either EXE or SCR). 

 The worm attempts to connect to the newsgroup alt.comp.virus. After it
connects successfully,
 the worm uploads its own plug-ins in an encrypted form to this
newsgroup. It goes thru the subject
 header of the messages, and tries to match a specific format. The subject
header will also specify
 the version number of the attached plug-in if these plug-ins are indeed
present. If a newer version
 of plug-ins is found, the worm downloads these modules and updates its
behavior. For example,
 there are known modules that give the worm ability to infect compressed
files like ZIP. 

 If WSOCK32.DLL is being used by the system, the worm will be unable to
modify this file. Thus,
 in this situation, the worm will add a registry key to one of the
following subtrees: 

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 It will always alternate between these two trees mentioned above as the
worm spreads from
 one machine to another. The worm hooks on the following exports on
WSOCK32.DLL:
 send(), recv(), connect(). Whenever a user sends out an email to a
person, the worm will also
 send out another email to the same person attaching a copy of itself
using a randomly
 generated filename. 

 Removal: 

 Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files
detected as W32.Hybris
 contain only the virus body and must be deleted.