[NCLUG] Hybris
dobbster
dobbster at dobbster.com
Thu Mar 8 12:33:59 MST 2001
> This writeup is very good:
> http://www.f-secure.com/v-descs/hybris.shtml
Thanks. That's the kind of info I was looking for (although source code
would be great, I guess it's probably not available. Not that I do VC++
very well anyway.)
> It changes the FROM: header, but it doesn't appear to change anything else.
> That was how I traced this one back to my sister. At the very least, it
> appears to generate the mail on a raw socket instead of calling the built-in
> mailer functions of winsock. Also, according to the linked article, it
> watches ALL sockets for E-mail addresses -- so it steals e-mail addresses
> while you are surfing, too!
This explains my observations of the headers of the worm's messages. So
I take it that if you were surfing the web and found an old discussion
board listing a bunch of email addresses, or were looking at addresses
on eBay, the worm would send messages to all of those addresses. Cute.
> Its brilliant. I really wish it wasn't malicious, because it really is
> tough to not give the guy some credit!
I agree. It's very imaginative. There are some brilliant bad guys out
there.
Mark (dobbster at dobbster.com)
More information about the NCLUG
mailing list