Heybro | |
---|---|
Type | File virus |
Creator | worm? |
Date Discovered | 2002.02.08 |
Place of Origin | |
Source Language | |
Platform | DOS, MS Windows* |
File Type(s) | .exe |
Infection Length | 114,875 bytes |
Heybro is a virus that spreads by prepending itself to .exe files as well as spreading by email. It is a curiosity because it appears to require a DOS system to run, but infects files in a folder unique to Windows. It was discovered in early 2002, at a time when DOS threats were mostly a thing of the past.
Behavior
When Heybro is executed, it prepends itself to all .exe files in the \Windows folder. It drops a file named Energy.VBS, which when executed, sends a copy of Heybro to the first 100 recipients in the user's Microsoft Outlook address book.
The subject of the email is "FWD: Stuff". The message contains the text:
Rulez :)
-----Original Message-----
> Hi,\
> Thanks for your attendance, here's it.\
> Please let me know if you like it.
> C ya
Variants
There is one variant known as Dixie, which appeared around two weeks later on March 13. It is sometimes alsoc called Heybro.B.
When executed, the worm searches for mIRC on the hard drive from which it is run. It also searches for a Windows installation, and on finding the file Win.com, it will assume it has found one. If it finds the Windows folder, it copies itself there and creates a Winstart.bat file that runs the wom every time Windows starts. This worm infects DOS executable files by prepending itself to an encrypted copy of the host file. If a copy of the worm which has not been prepended to a host is executed, it displays the following message:
Your program caused a divide overflow error.
If the problem persists, contact your program vendor.
If the worm finds a mIRC folder, it will create a Script.ini file that will send the virus to any user who logs on to the same IRC channel as the infected user.
Dixie also inserts a Visual Basic Script on the system, and then executes it. This script emails the worm to the first 100 contacts in the user's address book.
This variant's email may have the subject of either "FWD: Stuff" or "FWD:Request". The message body has five lines, each line with two possibilities for the text. Line one is either "Rulez :)" or "Cool! ;-)". Line two is either "> Hello!" or "> Hi,". Line three is either "> I've just finished this thing, give it a try!" or "> Thanks for your attendance, here's it.". Line four is either "> Please let me know if you like it." or "> I'd be happy if you could help me by sending any remarks.". Line five is either "> C ya" or "> Bye now…".
It's attachment will be named "DIXIE.EXE", "FLATLINE.EXE" or "ROMCARD.EXE".
The body of this variant contains the text string:
Hey, bro! I'm the Dixie Flatline, best cowboy that ever punched deck.
dixie flatline - biocoded by worm
Sources
Douglas Knowels. Symantec Security Response, HLLP.Heybro@mm. 2007.02.13
Atli Gudmundsson. -, Dixie@mm. 2007.02.13
Sophos Antivirus, HLLP/HeyBro-B