[NCLUG] Hybris

dobbster dobbster at dobbster.com
Thu Mar 8 12:33:59 MST 2001


> This writeup is very good:
> http://www.f-secure.com/v-descs/hybris.shtml

Thanks.  That's the kind of info I was looking for (although source code
would be great, I guess it's probably not available.  Not that I do VC++
very well anyway.)

> It changes the FROM: header, but it doesn't appear to change anything else.
> That was how I traced this one back to my sister.  At the very least, it
> appears to generate the mail on a raw socket instead of calling the built-in
> mailer functions of winsock.  Also, according to the linked article, it
> watches ALL sockets for E-mail addresses -- so it steals e-mail addresses
> while you are surfing, too!

This explains my observations of the headers of the worm's messages.  So
I take it that if you were surfing the web and found an old discussion
board listing a bunch of email addresses, or were looking at addresses
on eBay, the worm would send messages to all of those addresses.  Cute.

> Its brilliant.  I really wish it wasn't malicious, because it really is
> tough to not give the guy some credit!

I agree.  It's very imaginative.  There are some brilliant bad guys out
there.

Mark (dobbster at dobbster.com)



More information about the NCLUG mailing list