Top virus threats, part four: Hybris

This the fourth and final tip in a series.

Viruses are not all created equal. Some cause more damage and some spread quickly to a large number of systems. Fortunately, there are only a few viruses that cause lots of damage and spread quickly. Therefore, most viruses are not a big threat. However, those few viruses that are a serious threat is all the reason you need for a multi-level virus protection and removal system.

To help you understand why virus protection is necessary, lets take a quick look at the top four viruses currently found in the wild ("in the wild" means actively infecting computers around the world via the Internet or other means).

The final virus in our collection of the top four worst viruses or worms currently circulating networks across the globe is the W95.Hybris.gen. The threat from Hybris lies mainly in its ability to distribute itself by e-mail and automatically update itself. When Hybris infects a system, it alters the wsock32.dll file. From that point forward, Hybris scans all incoming and outgoing network/Internet traffic looking for e-mail addresses. When a new e-mail address is discovered, it captures it, waits a random length of time, and then e-mails itself to that address. In most cases, it sends itself as an attachment that looks like a screen saver (.scr).

Periodically, Hybris contacts the alt.comp.virus newsgroup. First, it uploads itself as a message to this newsgroup. Next, it looks

    Requires Free Membership to View

for updated versions of itself posted there. If an updated version is discovered, it downloads it and re-infects the system. This feature allows the virus author to alter the functionality of the virus quickly and easily.

Fortunately, the Hybris virus is little more than a very good infection and distribution mechanism and does not cause any direct damage to infected systems. However, this can be easily changed by the virus author and posting a new update to the alt.comp.virus newsgroup.

This virus affects Windows 95, 98, 98 SE and Me mostly. It can affect Windows 2000 and XP if the native File Protection Service is disabled. By default, Windows 2000 and XP will prevent unauthorized changes to key system files, including wsock32.dll.

Most antivirus products are able to detect, remove and disable this virus/worm. However, if your system is already infected, you need to manually clean-up its artifacts to guarantee that you will not remain infected or accidentally infect others. For details on reversing the changes to systems infected by the W95.Hybris.gen virus, please visit one of the following:
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w95.hybris.gen.html
McAfee: http://vil.mcafee.com/dispVirus.asp?virus_k=98873
TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HYBRIS.DLL

About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was first published in May 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.