White Papers
W32/Hybris-C (Sophos)
Overview
Date: Fri, 4 Jan 2002 15:58:02 +0000 (GMT)
Name: W32/Hybris-C
Type: Win32 worm
Sophos has received many reports of this worm from the wild.
Note: Sophos Anti-Virus has been detecting W32/Hybris-C since 16
November 2000. This IDE was updated at 15:45 GMT on 4 January
2002 to enhance detection.
Description: W32/Hybris-C is a worm capable of updating its functionality
over the internet.
It consists of a base part and a collection of upgradeable
components. The components are stored within the worm body
encrypted with 128-bit strong cryptography.
When run, the worm infects WSOCK32.DLL. Whenever an email is
sent, the worm attempts to send a copy of itself as an
attachment to a separate message to the same recipient.
Any other behaviour exhibited by the worm is entirely dependent
on the set of installed components. The effects of components
known to Sophos at the time of writing are described below. ...the message can have any subject, any message text
and any filename for the attached file.
A common component of the worm checks the language settings of
the computer it has infected, and selects a message accordingly
from English, French, Portuguese, Spanish.
There is also a component that applies a simple polymorphic
encryption to the worm before it gets sent by email. By
upgrading this component the author is able to completely change
the appearance of the worm in unpredictable ways in an attempt
to defeat anti-virus products detecting it.
Click through to the alert text for disinfection information.
| Publisher | Sophos | File Format | HTML |
|---|---|---|---|
| Date Published | January 2002 | ||
| Format | White Papers | ||
| Topics |
|
||
-
Did you find this white paper useful? 2 out of 4 users found this white paper useful
White Paper RSS
Download
Register
