Re: NCR: Virus Proven True (NAV scanned it)
any info about it?

From: "Laura" <bunnybunny_2000@YAHOO.COM>
To: <CREED-DISCUSS@WINDUPLIST.COM>
Date: Fri
20 Jul 2001 15:58:13 -0700

hey i just got this mail right now! apparently it says that this email was sent out on the 16th of this month...maybe things are going to start to work soon...i dunno, just wanted to send this because i found it funny that i just recieved this right now. byebye

-laura-

  ]\\[][G}{T§TÖ®]v[ <NightStorm_Draco_@HOTMAIL.COM> wrote:

Hell... that makes life a WHOLE lot easier. Here's the URL. I also
included the other variation of the virus...
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBRIS.J

TROJ_HYBRIS.J
Risk rating: Low
Virus type: Trojan
Destructive: N
Aliases: W32/Hybris.gen@MM, W32/Hybris-C, W95/Hybris.worm.D,
W95.Hybris.worm, I-Worm.Hybris.g, TROJ_HYBRIS.A, HYBRIS.J

Description:
This encrypted Trojan is a variant of TROJ_HYBRIS.A. It does not have a
destructive payload.

Details:
TROJ_HYBRIS.E is an encrypted variant of TROJ_HYBRIS.A which seems to be
non-working or unfinished version of the Trojan. When run, this trojan
modifies the WSOCK32.DLL in windows system folder. The infected WSOCK32.DLL
is detected by Trend antivirus as TROJ_HYBRIS.DLL. After it modifies
WSOCK32.DLL, it does not employ any other activity on the infected machine.
This Trojan does not have a destructive payload.
*******************************************
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBRIS.A
TROJ_HYBRIS.A
Risk rating: Low
Virus type: Trojan
Destructive: N
Aliases: Snow White, I-Worm.Hybris, W32/Hybris@M, Win32.Hybris.Gen,
TROJ_HYBRIS.A, TROJ_HYBRIS.D, TROJ_HYBRIS.B, TROJ_HYBRIS.C, TROJ_HYBRIS.E,
TROJ_HYBRIS.GEN, TROJ_HYBRIS.DLL, TROJ_HYBRIS.PX

Description:
This semi-polymorphic worm propagates via email and may also spread through
Newsgroup postings. It does not have any destructive payloads. However, it
has several known plug-ins that maybe upgraded to make it malicious. Upon
execution, this worm monitors Internet access from the infected computer, as
well as email sent and received. Once it detects Internet connection, it
sends an additional email to all addresses that infected user sent email to
after the worm was executed. This email has a copy of the worm as an
attachment. The filename of the attachment is selected randomly depending
upon the system default language of the infected computer.

Details:
Upon execution, this Trojan attempts to patch WSOCK32.DLL. Since WSOCK32.DLL
is in use, the Trojan cannot directly patch it and drops a copy of itself in
the Windows system directort. In addition, it adds a reference to itself in
the Autorun key of the system registry:

//HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/
CurrentVersion/RunOnce
(Default) = %systemdir%\TrojanName

Where "%systemdir%" is the Windows System directory, and "TrojanName" is the
name of the dropped file.
This enables the Trojan to run at every Windows start up. When the system is
restarted, the Trojan tries again to patch WSOCK32.DLL's connect( ),
send( ), and recv( ) functions to allow it to monitor Internet access as
well as the sending and receiving of emails.
To avoid detection, the Trojan modifies WININIT.INI so that its copy in the
Windows System directory is deleted:


NUL = %systemdir%\TrojanName

Due to this, the copy of the Trojan in the Windows System directory is
deleted. In addition to this, the Trojan also extracts the current plug-ins
in the Windows System directory with randomly generated filenames. A few
examples are:

OLIMALAD.LIM
DOLIMALA.OLI
PKODACMA.KOD

Then the Trojan spreads via its own SMTP engine. A sample of the email it
sends out are:

From: Hahaha hahaha@sexyfun.net

Depending upon the Default Language Identifier of the infected system, the
Trojan generates the following fields of the email:

Subject in English:Snowhite and the Seven Dwarfs - The REAL story!
Subject for French : Les 7 coquir nains
Attachments in English: sexy virgin.scr, joke.exe, midgets.scr or
dwarf4you.exe
Attachments in French: blancheneige.exe, sexynain.scr, blanche.scr or
nains.exe
Message Body in English: Today, Snowhite was turning 18. The 7 Dwarfs always
where very educated and polite with Snowhite. When they go out work at
mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently,
the door open, and the Seven Dwarfs enter...
Message Body in French: C'etait un jour avant son dix huitieme anniversaire.
Les 7 nains, qui avaient aidé 'blanche neige' toutes ces années après
qu'elle se soit enfuit de chez sa belle mère, lui avaient promis une
*grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail.
Mais cette fois ils avaient un air coquin.
If the language of the system is not English, Portugese, French or Spanish,
the email sent out does not have any subject or message body, only an
attachment with a randomly generated filename.
In addition to sending email, there are known plug-ins of this Trojan, which
may be downloaded from a certain website. These plug-ins are known to be
malicious. The plug-in filenames are:
HTTP.DAT, NEWS.DAT, AVINET.DAT, ENCR.DAT, PR0N.DAT, SPIRALE.DAT , SUB7.DAT,
AND DOSEXE.DAT.
The Trojan body also contains the following text:

HYBRIS (c) Vecna; encrypted

Variant Information: TROJ_HYBRIS.B does not utilize the RUNONCE registry
key. Instead, it uses the WININIT.INI to replace the WSOCK32.DLL with its
own copy. The dropped file has no extension, is randomly generated and
automatically destroyed itself. Sample filenames are:

JKCLNCKPF or LPHBNGAE

In the cases TROJ_HYBRIS.C, TROJ_HYBRIS.F, TROJ_HYBRIS.D, TROJ_HYBRIS.E and
TROJ_HYBRIS.GEN, the main Trojan body is encrypted. The size of this
encrypted body varies from variant to variant, as does the size of
WSOCK32.DLL. In addition, TROJ_HYBRIS.D uses TMP as a filename.

To unsubscribe or change your preferences for the Creed-Discuss list, visit:
http://www.winduplist.com/ls/discuss/form.asp



Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 a year!
http://personal.mail.yahoo.com/