|Place of Origin||Brazil|
|File Type(s)||.exe, .scr, dll*|
|Infection Length||22,528 bytes|
Hybris, sometimes also called Snow White, is an email worm coded by Vecna of the group 29A. Its most distinguishing feature is its use of updateable plugins. The worm is similar in some ways to Happy99, particularly in that it sends itself as a second email to the person the user sends an email to. It was published in issue 7 of 29A magazine.
Hybris arrives in an email with a sender line of ten.nufyxes|ahahah#ten.nufyxes|ahahah and a subject line of "Snow White and the Seven dwarves". The attachment may be one of the following:
- anpo porn(.scr
- branca de neve.scr
- enano porno.exe
- sexy virgin.scr
The body includes text in English and Portuguese:
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Faltaba apenas un dia para su aniversario de de 18 a?ños. Blanca de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* sorpresa para su fiesta de complea?ños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...
When the worm is executed, it modifies the Wsock32.dll in a way that allows it to monitor the Internet connection and outgoing mail. Hybris can not infect Wsock32.dll if it is in use. If it is in use while the worm is first executed, it modifies the current user or local machine run once registry keys so it may run before the user connects to the Internet, which requires this file be in use. It alternates between the two with each new machine infected.
The worm hooks the exports send(), recv() and connect(). As it monitors the traffic running through this file, it scans the traffic for email addresses. It essentially collects email addresses listed on websites as well as any from the sender, receiver, CC or other lines or even ones listed in the body of the email. Whenever the user sends email, the worm sends a second email to that person with a copy of itself using a random file name.
Hybris attempts to connect to the alt.comp.virus newsgroup. If it is successful, it uploads its plugins in encrypted form to the newsgroup. The subject of the message containing the plugins will include the version number of the attached plugin. If it finds newer versions of the plugin, it will download the newest one.
One of the known plugins for this worm generates a black and white spiral image. It is registered as a service, so it will not show in the Close Programs dialog box. Another plugin drops a virus which infects .exe files. It drops an .exe file in a temporary folder, executes it and then deletes it. The code is appended to 16-bit DOS .exe files. Portable executables become infected if they have a code section long enough to fit into, in which case, the virus overwrites it.
Hybris was released into the wild and even made the charts for most common viruses. One observer called it a possible "sleeper hit" noting its very slow but stealthy spreading. Its plugin updating ability was also a source of concern for some researchers who speculated on what other kinds of things could be done with that model. By the 31st of October in 2002, Hybris.B was at number 9 in the virus/worm charts, over two years after the original was released.
Name and Origin
The worm was coded in Assembly by Brazilian hacker Vecna. It was published in the 29A magazine in issue 7. Other members of a group called VX-BRAZIL may have also had a hand in the worm.
Cary Ng. Symantec, W95.Hybris.gen. 2007.02.13
CNet, Hybris virus: A sleeper hit? 2001.01.11
John Leyden. The Register, BugBear tops virus charts as Klez refuses to die. 2002.10.31
-. -, Vandals behind spread of Hybris worm named. 2001.01.12
CERT, Open mail relays used to deliver "Hybris Worm". 2001.03.02