Problem solve Get help with specific problems with your technologies, process and projects.

Top virus threats, part four: Hybris

A look at the fourth worst virus in the wild: Hybris.

This the fourth and final tip in a series.

Viruses are not all created equal. Some cause more damage and some spread quickly to a large number of systems. Fortunately, there are only a few viruses that cause lots of damage and spread quickly. Therefore, most viruses are not a big threat. However, those few viruses that are a serious threat is all the reason you need for a multi-level virus protection and removal system.

To help you understand why virus protection is necessary, lets take a quick look at the top four viruses currently found in the wild ("in the wild" means actively infecting computers around the world via the Internet or other means).

The final virus in our collection of the top four worst viruses or worms currently circulating networks across the globe is the W95.Hybris.gen. The threat from Hybris lies mainly in its ability to distribute itself by e-mail and automatically update itself. When Hybris infects a system, it alters the wsock32.dll file. From that point forward, Hybris scans all incoming and outgoing network/Internet traffic looking for e-mail addresses. When a new e-mail address is discovered, it captures it, waits a random length of time, and then e-mails itself to that address. In most cases, it sends itself as an attachment that looks like a screen saver (.scr).

Periodically, Hybris contacts the alt.comp.virus newsgroup. First, it uploads itself as a message to this newsgroup. Next, it looks for updated versions of itself posted there. If an updated version is discovered, it downloads it and re-infects the system. This feature allows the virus author to alter the functionality of the virus quickly and easily.

Fortunately, the Hybris virus is little more than a very good infection and distribution mechanism and does not cause any direct damage to infected systems. However, this can be easily changed by the virus author and posting a new update to the alt.comp.virus newsgroup.

This virus affects Windows 95, 98, 98 SE and Me mostly. It can affect Windows 2000 and XP if the native File Protection Service is disabled. By default, Windows 2000 and XP will prevent unauthorized changes to key system files, including wsock32.dll.

Most antivirus products are able to detect, remove and disable this virus/worm. However, if your system is already infected, you need to manually clean-up its artifacts to guarantee that you will not remain infected or accidentally infect others. For details on reversing the changes to systems infected by the W95.Hybris.gen virus, please visit one of the following:

About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was last published in May 2002

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.