You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Hybris.A
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Hybris.A activates when the file attached to the e-mail message is run and has the following effects:

It updates itself using plug-ins, which it can download from the Internet.

It can obtain up to 32 plug-ins. Some of them correspond to the following files: HTTP.DAT, NEWS.DAT, AVINET.DAT, ENCR.DAT, PR0N.DAT, SPIRALE.DAT, SUB7.DAT, AND DOSEXE.DAT.
It looks for files with an EXE extension in files compressed in ZIP or RAR and replaces them with a copy of itself. The extension of the original files is changed to EX$.
It detects other computers that are infected with the Subseven worm and installs itself in them.

Infection strategy

Hybris.A creates a file called WININIT.INI in the Windows directory in the affected computer. This file contains the following text:

[Rename]

C:\WINDOWS\ SYSTEM\ WSOCK32.DLL= C:\WINDOWS\ SYSTEM\ <random name of 8 characters without an extension >

Hybris.A modifies the WSOCK32.DLL file in the following way:

It copies its infection code to the end of the file.
It modifies the functions connect, send and recv included in this file so that they activate the worm’s code.
These functions establish Internet connections and send and receive data. By doing this Hybris.A can control all the e-mail sent from the affected computer.
It copies the WSOCK32.DLL file in the Windows directory, if it cannot infect it because it is in use.
In this case, it does not copy it under the same name but under a name that consists of eight random characters.

It then inserts one the following entries in the Windows Registry in order to ensure that it is activated when Windows starts:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce

Hybris.A uses plug-ins that it downloads from the Internet to update itself. The worm can do this in two ways:

By accessing a Web page.
By connecting to the newsgroup alt.comp.virus.
In this case, Hybris.A also sends its plug-ins and checks the version number and identifier of each one. By doing this, Hybris.A can find out which plug-ins it needs in order to update itself.

Means of transmission

Hybris.A spreads via e-mail in a message with the following characteristics:

Sender:
Hahaha < hahaha@sexyfun.net >
Subject:
Snowwhite and the seven dwarfs-The REAL story!
Message:
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachments: one of the following
SEXY VIRGIN.SCR, JOKE.EXE, MIDGETS.SCR, DWARF4YOU.EXE
Hybris.A can change the subject of the message using a combination of the following words:
Anna, Raquel Darian, Xena, Xuxa, Suzete, famous, celebrity rape, leather, sex, sexy, hot, hottest, cum, cumshot, horny.

The message can also be received in Spanish, French and Portuguese. For information on the versions in these languages, click here.

Hybris.A activates when the attached file included in the e-mail message is run.

From then on, Hybris.A will start to spread. It does this by sending an infected message to the recipients to whom the infected user has already sent a message.

Further Details

The writer of Hybris.A is known as Vecna and comes from Brazil.

The plug-ins it uses are encrypted using an algorithm, similar to RSA, with a 128-Bit key.

Some copies of the worm are encrypted using a simple semi-polymorphic routine.

Resources for Partners