W32.Hybris.gen Worm

[Guest guest]

W32.Hybris.gen Worm

 

The Snow White Virus appears to be making the rounds again.

 

Like the recent MTX virus, the Snow White Virus

acts as a worm and infects the wsock32.dll file, attaching copies of itself to

all MS

outgoing email and newsgroup postings. The attachments range in names from:

 

anpo porn(.scr

atchim.exe

branca de neve.scr

dunga.scr

dwarf4you.exe

enano porno.exe

joke.exe

midgets.scr

sexy virgin.scr

 

The text of the automatically created email message is as follows:

 

Hahaha [hahaha] Snowhite and the Seven Dwarfs -

The REAL story!

 

Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very

educated and polite with Snowhite. When they go out work at mornign, they

promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open,

and the Seven Dwarfs enter...

 

Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe

 

As the Hybris name may suggest, the virus also has many other payloads which

the user may or may not see. The machine seen today was infected with the

SPIRALE payload, but other payloads may bee seen around campus. These are

the possible plugins or variations that the virus may download:

 

@@@@ or SPIRALE - This creates a file which displays a graphic of a

" spiral " that cannot be closed or stopped. The file has a name

consisting of

eight random letters, and is loaded using the run= line of the

[windows]

section of win.ini. This spiral graphic is launched by this Internet

worm on

September 24th, or when the number of minutes are equal to 59 in the

year

2001.

I_RZ - Adds a copy of the worm to ZIP and RAR archives containing EXE

files. The original EXE file is renamed to an EX$ extension, and a

copy of

the virus takes the place of the original EXE file.

AVIP or AVINET.DAT - Blocks the infected computer from visiting certain

antivirus websites by IP address, similiar to the W95/MTX virus.

SUB7 - Searches for computers infected with the BackDoor-G trojan, and

copies and executes itself on infected machines.

ENCR or POLY - Encrypts the virus with a polymorphic routine. Note that

in spite of the polymorphic routine, VirusScan detects all of the

permutations of the virus when using updated engine and DAT files.

TEXT or PR0N - This creates the Snow White message that the virus is

sent

with, depending on the language installed on the infected system.

 

The latest antivirus files from both McAfee and Norton will detect and clean

this

virus, but if you have a user who is already infected with the SPIRALE version,

follow these steps to clean:

 

Boot the machine into DOS or into Windows and edit the win.ini file. This

file is

found in the Windows folder on the users hard drive. At the top of the file

will be

the line starting run=...and the file that is listed is the file that loads

the spinning

spiral upon boot. Delete that file from the user's machine and from the

win.ini file

so that the file reads run= with nothing after it. Then follow the guidelines

listed

in the MTX documentation for extracting a fresh copy of the wsock32.dll file

from the Windows CD or from the user's cab files. Once done, reboot the

machine, download the latest dat files, and run a complete scan to clean any

other

infected files.

 

Documentation on this virus can be found at the following sites:

 

http://service1.symantec.com/sarc/sarc.nsf/html/W95.Hybris.gen.html

 

http://vil.mcafee.com/dispVirus.asp?virus_k=98873 &