Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Alias:dwarf4you.exe, Hybris, I-Worm.Hybris , I-Worm.Hybris.b, Snowhite and the Seven Dwarfs, TROJ_HYBRIS.A, W32/Hybris.dll@M , W32/Hybris.plugin@M, W95.Hybris.Gen.dr, W95/Hybris.worm, Win98.Vecna.23040
Type:Worm 
Size:25,088 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads over newsgroups. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe message sent to newsgroups has the following form: anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters] Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46
KUWJGJWCVICGIWIWCZIWHCFXCHB
[continues].... [more coded lines]
[terminated by four asterisks] ****

The Plugins are saved in %WinDIR%\%SystemDIR% with random names. Some of the actual Plugins are:

@@@@ or SPIRALE - It generates a graphic spiral that can not be stopped or closed. The file name has 8 random letters.

I_RZ - makes a copy of the worm in ZIP and RAR archives containing .EXE files.

AVIP or AVINET.DAT - keeps the infected computer from accessing antivirus websites.

SUB7 - looks for computers infected with Backdoor-G Trojans, copies itself and runs on the infected computers.

ENCR or POLY
TEXT or PR0N - It sends a message with the virus, according to the infected system's language:

From: Hahaha [hahaha@sexyfun.net]
Subject:
Snowhite and the Seven Dwarfs - The REAL story!
Les 7 coquir nains *or* Blanche neige et ...les sexe nains
Enanito si, pero con que pedazo!
Branca de Neve pornô!

Body: Today, Snowhite was turning 18. The 7 Dwarfsalways where very educated and polite with Snowhite.When they go out work at mornign, they promissed a*huge* surprise. Snowhite was anxious. Suddlently, thedoor open, and the Seven Dwarfs enter...

C'etait un jour avant son dix huitiemeanniversaire. Les 7 nains, qui avaient aidé 'blancheneige' toutes ces années après qu'elle se soit enfuit dechez sa belle mère, lui avaient promis une *grosse*surprise. A 5 heures comme toujours, ils sont rentrés dutravail. Mais cette fois ils avaient un air coquin...

Faltaba apenas un dia para su aniversario de de 18años. Blanca de Nieve fuera siempre muy bien cuidada porlos enanitos. Ellos le prometieron una *grande* sorpresapara su fiesta de compleaños. Al entardecer, llegaron.Tenian un brillo incomun en los ojos...

Faltava apenas um dia para o seu aniversario de18 anos. Branca de Neve estava muito feliz e ansiosa,porque os 7 anões prometeram uma *grande* surpresa.As cinco horas, os anõezinhos voltaram do trabalho.Mas algo nao estava bem... Os sete anõezinhos tinhamum estranho brilho no olhar...

Attachment:
sexy virgin.scr
joke.exe
midgets.scr
dwarf4you.exe
blancheneige.exe
sexynain.scr
blanche.scr
nains.exe
enano.exe
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe
branca de neve.scr
atchim.iexe
dunga.scr
anão pornô.scr

A later version uses the following words in the emails:
"Anna"
"Raquel Darian"
"Xena"
"Xuxa"
"Suzete"
"famous"
"celebrity rape"
"leather"
"sex"
"sexy"
"hot"
"hottest"
"cum"
"cumshot"
"horny"
"anal"
"gay"
"oral" etc.

If the virus Hybris has no Plugin features for sending text messages, it sends a message without subject and sender.

Technical DetailsWhen first activated, W95/Hybris.Gen.3 tries to infect WSOCK32.DLL in %WinDIR%/%SystemDIR%.
It first infects WSOCK32.DLL. If it can not be done, because the file is already in use, the worm makes an infected copy of WSOCK32.DLL. The copy has no extension and its name has 8 random characters.
The worm enters a line in WININIT.INI, so that when the computer starts-up again, the copy will replace the original WSOCK32.DLL file.
The modified file surveys all Internet activities and tries to write a copy of the worm in an .EXE or .SCR file, to send it to email addresses.

This Internet worm downloads encoded updates from Internet websites:

HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .