Contact
A propos d'Avira
Presse
Version bêta
Language:
Français
English
Deutsch
Français
Español
Italiano
Português
Русский
Particuliers
Avira Antivirus Premium
Avira Internet Security
Entreprises
PC/serveurs
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
PME
Services hébergés
Passerelles
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Intégration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding et regroupement
Services d’intégration
Remise Enseignement
Support
Particuliers
Aperçu
Dernières actualités
Tutoriels vidéo
Base de connaissances
Entreprises
Aperçu
Dernières actualités
Base de connaissances
Laboratoire antivirus
Descriptions de virus
Statistiques
Historique VDF
Virus "In the Wild"
Science des virus
Soumettre le Fichier Suspect
Téléchargements
Téléchargement produits
Documentation technique
Cycle de vie des produits
Mise à jour VDF
Partenaires
Trouver un partenaire
Devenir partenaire Avira
Société affiliée
Version gratuite
Télécharger
Rechercher
Brève description
Description complète
Statistiques
Alias:
dwarf4you.exe, Hybris, I-Worm.Hybris , I-Worm.Hybris.b, Snowhite and the Seven Dwarfs, TROJ_HYBRIS.A, W32/Hybris.dll@M , W32/Hybris.plugin@M, W95.Hybris.Gen.dr, W95/Hybris.worm, Win98.Vecna.23040
Type:
Worm
Size:
25,088 Bytes
Origin:
Date:
00-00-0000
Damage:
Spreads over newsgroups.
VDF Version:
Danger:
Low
Distribution:
Low
Distribution
The message sent to newsgroups has the following form: anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters] Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46
KUWJGJWCVICGIWIWCZIWHCFXCHB
[continues].... [more coded lines]
[terminated by four asterisks] ****
The Plugins are saved in %WinDIR%\%SystemDIR% with random names. Some of the actual Plugins are:
@@@@ or SPIRALE - It generates a graphic spiral that can not be stopped or closed. The file name has 8 random letters.
I_RZ - makes a copy of the worm in ZIP and RAR archives containing .EXE files.
AVIP or AVINET.DAT - keeps the infected computer from accessing antivirus websites.
SUB7 - looks for computers infected with Backdoor-G Trojans, copies itself and runs on the infected computers.
ENCR or POLY
TEXT or PR0N - It sends a message with the virus, according to the infected system's language:
From: Hahaha [hahaha@sexyfun.net]
Subject:
Snowhite and the Seven Dwarfs - The REAL story!
Les 7 coquir nains *or* Blanche neige et ...les sexe nains
Enanito si, pero con que pedazo!
Branca de Neve pornô!
Body: Today, Snowhite was turning 18. The 7 Dwarfsalways where very educated and polite with Snowhite.When they go out work at mornign, they promissed a*huge* surprise. Snowhite was anxious. Suddlently, thedoor open, and the Seven Dwarfs enter...
C'etait un jour avant son dix huitiemeanniversaire. Les 7 nains, qui avaient aidé 'blancheneige' toutes ces années après qu'elle se soit enfuit dechez sa belle mère, lui avaient promis une *grosse*surprise. A 5 heures comme toujours, ils sont rentrés dutravail. Mais cette fois ils avaient un air coquin...
Faltaba apenas un dia para su aniversario de de 18años. Blanca de Nieve fuera siempre muy bien cuidada porlos enanitos. Ellos le prometieron una *grande* sorpresapara su fiesta de compleaños. Al entardecer, llegaron.Tenian un brillo incomun en los ojos...
Faltava apenas um dia para o seu aniversario de18 anos. Branca de Neve estava muito feliz e ansiosa,porque os 7 anões prometeram uma *grande* surpresa.As cinco horas, os anõezinhos voltaram do trabalho.Mas algo nao estava bem... Os sete anõezinhos tinhamum estranho brilho no olhar...
Attachment:
sexy virgin.scr
joke.exe
midgets.scr
dwarf4you.exe
blancheneige.exe
sexynain.scr
blanche.scr
nains.exe
enano.exe
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe
branca de neve.scr
atchim.iexe
dunga.scr
anão pornô.scr
A later version uses the following words in the emails:
"Anna"
"Raquel Darian"
"Xena"
"Xuxa"
"Suzete"
"famous"
"celebrity rape"
"leather"
"sex"
"sexy"
"hot"
"hottest"
"cum"
"cumshot"
"horny"
"anal"
"gay"
"oral" etc.
If the virus Hybris has no Plugin features for sending text messages, it sends a message without subject and sender.
Technical Details
When first activated, W95/Hybris.Gen.3 tries to infect WSOCK32.DLL in %WinDIR%/%SystemDIR%.
It first infects WSOCK32.DLL. If it can not be done, because the file is already in use, the worm makes an infected copy of WSOCK32.DLL. The copy has no extension and its name has 8 random characters.
The worm enters a line in WININIT.INI, so that when the computer starts-up again, the copy will replace the original WSOCK32.DLL file.
The modified file surveys all Internet activities and tries to write a copy of the worm in an .EXE or .SCR file, to send it to email addresses.
This Internet worm downloads encoded updates from Internet websites:
HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
Description insérée par Crony Walker le mardi 15 juin 2004
Retour
.
.
.
.
