W95.Hybris.gen

Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 as of January 6, 2004.

W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages.

The email message or subject may include, but is not limited to:

• hahaha@sexyfun.net
• Snow White and the Seven dwarves

• anpo porn(.scr
• atchim.exe
• branca de neve.scr
• dunga.scr
• dwarf4you.exe
• enano porno.exe
• joke.exe
• midgets.scr
• sexy virgin.scr

Also Known As:	W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M [McAfee], I-Worm.Hybris [Kaspersky], WORM_HYBRIS [Trend], W32/Hybris-A [Sophos], Win32.Hybris [CA], Full Moon
Type:	Worm
Systems Affected:	Windows 95, Windows 98, Windows Me
Systems Not Affected:	DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Virus Definitions (LiveUpdate™ Weekly) September 25, 2000 Virus Definitions (Intelligent Updater) September 25, 2000

Wild Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate

Threat Metrics Wild: Low Damage: Low Distribution: High

Distribution

• Name of attachment: Random with EXE or SCR file name extension

When the worm attachment is executed, the Wsock32.dll file is modified or replaced. Once the worm has infected wsock32.dll, it has the ability to monitor the Internet connection as well as incoming and outgoing email traffic. The worm then scans for email addresses. When an email address is detected whether on an Internet site or in email being sent or received, the worm waits for a period of time and then sends an infected message to the detected address.

The worm attempts to connect to the alt.comp.virus newsgroup. If it connects successfully, then the worm uploads its own plug-ins to this newsgroup in an encrypted form. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if the plug-ins are present. If newer versions of the plug-ins are found, the worm downloads them and updates its behavior.

One of the plug-ins for W95.Hybris.gen generates a spiral image. Upon execution, the plug-in initially loads OpenGL libraries which are used to draw a large black and white spiral image. It also registers itself as a service; this prevents it from being displayed in the Close Programs dialog box. For additional information on this, see the document W95.Hybris.Plugin.

This worm also has a plug-in that infects executable programs. The DOS EXE infection is fairly simple dropping technique. The virus code is appended to the end of the file with a small 16-bit dropper routine. This routine creates a temporary file with an .exe extension in the TEMP folder and executes it. It then deletes the temporary executable. In this way, Wsock32.dll is infected with the actual worm body. The PE executables have a much more complicated file infection process. PE files become infected only if they have a long enough code section. The virus infection plug-in packs the original code area and overwrites it if it will fit in the same place. This complicated antiheuristic infection technique is difficult but possible to repair.

If Wsock32.dll is being used by the system, the worm cannot modify it. In this situation, the worm will add a registry entry to one of the following subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce

It always alternates between these two keys as the worm spreads from one computer to another. The worm hooks onto the following exports of Wsock32.dll:

send()
recv()
connect()

Whenever you send email, the worm sends a second message to the same person, attaching a copy of itself using a randomly generated file name.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

To remove the W95.Hybris.gen worm, follow these steps:

1. Run LiveUpdate to ensure that you have the most recent virus definitions. They must be dated September 25, 2000, or later.
2. Start NAV, and perform a full system scan. Make sure that NAV is set to scan all files. When an infected file is detected, do the following:
   • When Wsock32.dll is detected as infected, choose Repair. In most cases, NAV can repair this file. If NAV cannot repair the file, then you will need to replace it from the Windows installation CD. If you need to replace this file, see the instructions in the next section.
     
     NOTE: If NAV cannot repair Wsock32.dll when Windows is in normal mode, then try to repair it in Safe Mode.This is particularly true if you are connected to a network; in this case you may see a "sharing violation" message when NAV attempts the repair. To try this, restart the computer in Safe Mode. (If you need help with this, read the document How to restart Windows 9x or Windows Me in Safe Mode.) If this is not successful, then you must extract a new copy as explained in the next section.
     
   • Delete all other detected files; their contents have been overwritten by the worm. You must restore them from backups or, in the case of application software, reinstall the programs.
3. If you see a rotating spiral on the Windows desktop, you must follow additional steps to remove it. See the section To remove the rotating spiral.

• The Microsoft Knowledge base article How to Extract Original Compressed Windows Files, Article ID Q129605, has detailed information for Windows 95/98/Me.
• How to extract files in Windows 98 and Windows Me.
• How to extract files using Windows 2000 or Windows NT 4.0.
• How to restore system files in Windows XP.
  

• You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document How to create a Windows Startup disk.
• Have the Windows installation CD available.
• When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type
  
  extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system
  
• If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder.
• For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
• As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
  

1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn the computer back on. At the menu, select Start with CD-ROM support.
2. Type the command that applies to your operating system:
   • If you are using Windows 98, then type the following and press Enter:
     
     extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system
     
   • If you are using Windows 95, then type the following and press Enter:
     
     extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system
     
3. If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter.

Revision History:

• January 6, 2004: Downgraded from a Category 3 to a Category 2 based on reduced rate of submissions.
• July 23, 2002. Downgraded from a Category 4 to a Category 3 based on reduced rate of submissions.

Write-up by: Cary Ng and Peter Ferrie