[NCLUG] Hybris

[Michael Dwyer]

Off topic, I'm sure, but this one is really cool to me...

> > Okay, now all that said, here's a real warning:  There is a real virus,
> > called Hybris that sends you all those "Hahaha at sexyfun.net" messages.
> >
> > http://vil.mcafee.com/dispVirus.asp?virus_k=98873&
> >
> > Its rather clever, and hides itself rather well.  Update your virus
> > scanner and check yourself for it.  If you don't want to get it, DON'T
> > CLICK ON ATTACHMENTS.  Wav files, mp3s, etc may be safe, but
> > screensavers and executables (Applications) should never be run.  Yeah,
> > you might miss out on the latest version of Frogapult, but then, if your
> > friend really wants you to see it, they would have sent you this link
> > instead:
> > http://www.nstorm.com/games/game.cfm?game_id=1  So you can get it
> > yourself, direct from the distributer, and be assured of getting a virus
> > free version.  Then, we never would have had to deal with this:
> > http://vil.mcafee.com/dispVirus.asp?virus_k=10464&

> I've had to deal with hoaxes and real viruses (on other machines) a lot,
> because I have a fair number of clueless friends (who refuse to run
> anything but Windows).  One thing I've noticed about the Hybris worm is
> that it almost always arrives a few minutes after an infected sender's
> message.

It hooks into the winsock library.  It watches packets go by.  If an E-mail
address goes by on port 25, it remembers that address for a few minutes,
then sends the hahaha at sexyfun.net letter off to them.

> That is, you get a message from them, and 2-10 minutes later, the
> hahaha at sexyfun.net one shows up.  From what I've read, this worm
> contacts alt.comp.virus in the meantime and somehow (?) the newsgroup
> indirectly sends the message.  Anyway, knowing this has helped me to
> inform people that they were infected through a simple test: I have them
> send out a blank email, wait a few minutes, and see if Snow White shows
> up...

Heh.  The problem is that the snow white payload is one one of the many
payloads that Hybris can have.  When it is reading newsgroups, it is
actually
trading payloads.  There is one that does a spiral on the screen.  Another
eats all your zip files.  The author could add another plugin at any time,
and
just let it go.

Really, its rather ingeneous!  Now, if it wasn't encrypted so well, you
could
probably make a plugin that makes the virus kill itself.  That's just cool!

> I've also received Hybris as an attachment from an unknown sender with a
> blank message (a mutant, perhaps?)  A simple way to detect Hybris is to
> save the attachment to disk and 'grep -i hybris whatever.exe'.

Really?  Its in plaintext?  That's cool.  My sister keep receiving them from
herself.  Oops.

> I think it's best to avoid Windows altogether and just watch out for
> Ramen, which seems easy enough to avoid.

Ramen may be the best thing to happen to us, though.  We've been a wee
bit too lax, and we needed the wakeup call.

(PS: Learn about Ramen here
http://www.cert.org/incident_notes/IN-2001-01.html )
(Not here: http://www.nissinfoods.com/ )