RealTime IT News

Hybris Worm Prowls The Net, Awaits Lethal Plug-ins

Kaspersky Lab, an international data-security software-development company, warns users of the discovery of Hybris, a new Internet worm. Kaspersky Lab has been receiving reports of the discovery of this virus "in the wild" worldwide, being particularly active in Latin America although infections by this virus have also been found in Europe.

The Internet worm Hybris spreads by attaching itself to infected e-mails and works only under MS Windows. When the recipient executes the attached file, Hybris infects the host PC. The procedure for infection is typical for this type of malicious program and is performed in a similar way to the Happy or MTX viruses.

To proliferate, the worm infects the WSOCK32.DLL library and also intercepts the Windows function that establishes the network connection; it then scans sent and received data for any e-mail addresses, and sends copies of itself to these e-mail addresses. Subject, text and name of the attached file are chosen randomly, for example:

From: Hahaha hahaha@sexyfun.net Subject: Snowhite and the seven Dwarfs - The REAL Story! Attachment: dwarf4you.exe

In addition, this worm has some specific features. Hybris contains several (up to 32) components (plug-ins) in its code and executes them depending on its needs. The worm's functionality is mostly defined by the plug-ins. They are stored in the body of the worm and are encrypted by a very strong crypto algorithm. However, the main peculiarity is that Hybris maintains the functionality of the plug-ins: it sends its own components to the anti-virus conference "alt.comp.virus" and downloads from there any upgraded or missing plug-ins. The virus components can also be updated by the worm from the author's Web page, via the Internet. So far, plug-ins found in the known versions of this virus and those at the Web site are fairly harmless and do not cause any direct damage. But, the fact that they can be updated means that they may be given completely different functions, for example, installing a Trojan horse backdoor. Although there have previously been some cases when a malicious program has been updated from the Internet, this is the first time it has occurred on this scale "in the wild."

'What we have here is perhaps the most complex and refined malicious code in the history of virus writing," comments Eugene Kaspersky, head of the companys Anti-Virus Research Center. "Firstly, it is defined by an extremely complex style of programming. Secondly, all the plug-ins are encrypted with a very strong RSA 128-bit crypto-algorithm key. Thirdly, the components themselves give the virus writer the possibility to modify his creation "in real time," and in fact allow him to control infected computers worldwide."