Snowhite and the Seven Dwarfs - The REAL story!

Mario Lassnig mario at lassnig.net
Sat Dec 23 13:44:31 PST 2000


Hybris Worm
 Information about the Hybris worm:

Hybris is an email worm. This worm infects Windows 95/98 and Windows NT/2000
based systems. This worm is similar to the Happy99. The worm arrives through
email bearing any of the following subjects,

  a..  Snowhite and the Seven Dwarfs - The REAL story! :
  b..  Branca de Neve pornô! Enanito si, pero con que pedazo!:
  c..  Les 7 coquir nains:
with any of the following as body text,

  a.. Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at mornign, they
promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door
open, and the Seven Dwarfs enter...
  b.. C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui
avaient aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit
de chez sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures
comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un
air coquin...
  c.. Faltaba apenas un dia para su aniversario de de 18 años. Blanca de
Nieve fuera siempre muy bien cuidada por los enanitos. Ellos le prometieron
una *grande* sorpresa para su fiesta de compleaños. Al entardecer, llegaron.
Tenian un brillo incomun en los ojos...
and any of the following as attachment.

anão pornô.scr
atchim.exe
blanca de nieve.scr
blanche.scr
blancheneige.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enanito fisgon.exe
enano porno.exe
enano.exe
joke.exe
midgets.scr
nains.exe
sexy virgin.scr
sexynain.scr
.........etc

Opening the attachment launches the worm. If the WSOCK32.DLL, is being used
by windows then it creates a copy of the same and infects it. It gives a
random eight character file name to the new file which does not have any
extension. The worm then overwrites the WININIT.INI to continue its
infection routine on next Windows Startup. The registry modifications are
done at the following location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

The worm sends mail with any of the above randomly chosen subjects, body
text and attachment respectively for every outbound mail. Plugins are
automatically updated from a website. These plugins are also converted into
newsgroup messages and posted. The worm tries to connect automatically to
several news servers to post messages to the newsgroup alt.comp.virus.

Hybris worm first appeared in November 2000.

 Other names of Hybris worm:

This worm is also known as I-Worm.Hybris.



-- Just found this on http://www.pspl.com/virus_info/worms/hybris.htm



LG, Mario

-------------- next part --------------
A non-text attachment was scrubbed...
Name: imgblueball.gif
Type: image/gif
Size: 889 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-dev/attachments/20001223/f8e0d5ed/attachment.gif>


More information about the lfs-dev mailing list