Politech mailing list archives
FC: More on "Snow White" worm, identified as Hybris.B/Hybris.C
From: Declan McCullagh <declan () well com>
Date: Mon, 04 Dec 2000 23:38:47 -0500
[Thanks to the politechnicals who wrote in with a positive ID on this critter. --Declan]
***********
Date: Thu, 30 Nov 2000 00:18:20 -0500 (EST) From: Jonathan Nash <jnash () qis net> To: Declan McCullagh <declan () well com> Subject: More information on Hybris Here is what Sophos Antivirus says about Hybris.B and Hybris.C: X-URL: http://www.sophos.com/virusinfo/analyses/w32hybrisc.html Name: W32/Hybris-C Type: Win32 worm Detection: Detected by Sophos Anti-Virus version 3.41 or later. An update (IDE file) is available for earlier versions from the Latest virus identities section. Sophos has received several reports of this worm from the wild. Comments: W32/Hybris is a worm capable of updating its functionality over the internet. It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography. When run, the worm infects wsock32.dll. Whenever an email is sent, the worm attempts to send a copy of itself in a separate message to the same recipient. The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed below. Versions of the worm seen by Sophos check the language settings of the computer it has infected, and select a message accordingly from: English Subject: Snowhite and the Seven Dwarfs - The REAL story! Message text: polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... French Subject: aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez Message text: sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin... Portuguese Subject: muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa. Message text: As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete anõezinhos tinham um estranho brilho no olhar... Spanish Subject: siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* Message text: sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos... The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen. One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address. The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install. Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename. There is a payload component, which on the 24th of September of any year, or at 1 minute to the hour at any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close. Image of large animated spiral. There is also a component that applies a simple polymorphic encryption to the worm before it gets sent by email. By upgrading this component the author is able to completely change the appearance of the worm in unpredictable ways in an attempt to defeat anti-virus products detecting it. -------------------------------------------------------- X-URL: http://www.sophos.com/virusinfo/analyses/w32hybrisb.html Name: W32/Hybris-B Type: Win32 worm Detection: Detected by Sophos Anti-Virus version 3.40 or later. An update (IDE file) is available for earlier versions from the Latest virus identities section. Sophos has received several reports of this virus from the wild. Comments: W32/Hybris-B is a worm capable of updating its functionality over the internet. It consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography. When run, the worm infects wsock32.dll. Whenever an email is sent, the worm attempts to send a copy of itself in a separate message to the same recipient. The text of the email message is determined by one of the installed components, and hence can be changed by the upgrading mechanism detailed below. Versions of the worm seen by Sophos check the language settings of the computer it has infected, and select a message accordingly from: English Subject: Snowhite and the Seven Dwarfs - The REAL story! Message text: polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter... French Subject: aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez Message text: sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin... Portuguese Subject: muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa. Message text: As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete anõezinhos tinham um estranho brilho no olhar... Spanish Subject: siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* Message text: sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un brillo incomun en los ojos... The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen. One of the upgrading techniques attempts to download the encrypted components from a website which is presumably operated by the worm author. This website has since been disabled. However, this component could be upgraded to have a different web address. The other method involves posting its current plug-ins to the usenet newsgroup alt.comp.virus, and upgrading them from other posts by other infections of the worm. These are again in the encrypted form, and have a header with a four character identifier and a four character version number, in order for the worm to know which plug-ins to install. Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename. There is a payload component, which on the 24th of September of any year, or at 1 minute to the hour at any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close. Image of large animated spiral. S|O|P|H|O|S UK site [US mirror]
***********
Date: Wed, 29 Nov 2000 22:30:56 -0800 From: Troy Davis <troy () nack net> To: Declan McCullagh <declan () well com> Subject: Re: FC: "Snow White" virus seems to be spreading via spam User-Agent: Mutt/1.2.5i On Wed, 29 Nov 2000, Declan McCullagh <declan () well com> wrote: > for congresscritters to use this (if it checks out) as more reasons to > "regulate" spam next session. 95% of the spam I get - which is a large enough quantity to be a representative sample, IMO - either originated from or was relayed through a machine outside the USA. I despise spam, but I don't think that a US law, even if it was adequately enforced, would do anything but push the other 5% offshore. Disconnecting Taiwan, China, Korea, and Hong Kong from the Internet would kill just about all of the most frequently abused SMTP relays (and a good portion of smurf amplifiers, too). :) Cheers, Troy
***********
From: terry.s () juno com To: declan () well com Date: Thu, 30 Nov 2000 03:05:24 -0500 Subject: Re: FC: "Snow White" virus seems to be spreading via spam X-Mailer: Juno 4.0.11 Hi Declan! I was sent that joke virus message yesterday from a Brazilian site, in Spanish. Now (from your message) I know what the joke was supposed to be. Note the file type my (up to date engine and DAT) McAfee VShield properly trapped the file attachment from opening, which is different as to file type and virus than the one your message notes. My SPAM complaint to the Brazialian ISP copied below contains those details. As to congresscritters, how could they legislate against this foreign nuisance? As big an issue as not executing unknown .vbs and .exe is keeping software up to date. Within the last week I applied SR-1a to my Office 2000, which already had SR-1, SR-1 to IE 5.50 previously installed to enhance security, and more patches to Win98, for the second time. A significant number of those, each round of updates, included critical security issues and not just bug fixes and feature enhancements. We as a community have pressured uSoft to be more responsible about releasing such patches and security defaults, but it takes users installing critical updates for them to be effective. (Juno email client is minimally virus susceptible, while I mostly use Netscape 4.7x over IE for browsing, but have a full scope of uSoft business and home products installed.) Congress can't legislate that. I'd support civil liability mechanisms for reckless corporations and idiot net users buying retail black boxes who don't devote labor for maintenance (or budget if they can't do it themselves, even if 10 times the cost of the box), such that they could be held liable just as if they drove a car with failed brakes or steering and hit someone. At the same time, I have serious reservations that such liability could be implemented without opening a risky door to invading lots of privacy issues inspecting the systems, software, and personal practices of individuals. Under existing computer crimes law of my state, I could file a complaint and request a felony investigation of the instance yesterday. Would Federal law accomplish any more than existing state law, which is useless in this type of instance? Maybe it would allow going after the two Dish Network and one online casino folks who forged foreign servers from apparently domestic businesses yesterday in their SPAM, but only if linked to SPAM support businesses operating WATS and FAX response centers contracting with the direct SPAMmers. A couple months ago, I also got SPAM promoting a Hillary Clinton election site. Laws holding the target site operator liable for the SPAM could get very interesting, especially if sending SPAM promoting an opponent could result in penalties against the target site operator. It's a tricky subject to legislate in ways that are effective, but not open to abuse. Then we move on to consider costs of investigation when headers are forged internationally, and wonder what the FBI threshold for serious investigation would be, regardless of law. FBI cases are subject to economic criteria for investigation, and not based on merely whether a complaint of an apparently legitimate crime has been placed (except when politically based legal lynchings). -- Terry
***********
Date: Thu, 30 Nov 2000 04:12:51 -0500 From: WWWhatsup <joly () dti net> To: declan () well com Subject: Re: FC: "Snow White" virus seems to be spreading via spam not a worm but a frequent arrival in my inbox is the Afghan Women's Petition detailed on http://urbanlegends.about.com/science/urbanlegends/library/blafghan.htm Such a heh, Snow White, cause it's unstoppable... I raised the topic of online petitions with the Internet Society, earlier in the year, and we actually have a panel coming here in NYC which their validity and advisabilty will be discussed. http://zope.isoc-ny.org/isoc-ny/975204784/index_html
[snip-DBM] ***********
From: "Heasman,David" <David.Heasman () seacontainers com>
To: "'declan () well com'" <declan () well com>
Subject: FW: A message from owner-politech () politechbot com has been blocke
d.
Date: Thu, 30 Nov 2000 09:46:43 -0000
Declan -
Our virus/sweeping software is over-sensitive by huge amounts,
banning thehungersite and
epn.net as terrorist, but I guess you should see this : -
> -----Original Message-----
> From: support.desk () seacontainers com [SMTP:support.desk () seacontainers com]
> Sent: Thursday, November 30, 2000 5:15 AM
> To: David.Heasman () seacontainers com
> Subject: A message from owner-politech () politechbot com has been
> blocked.
>
> This is an automated message generated by Mailsweeper, the software we use
> to scan all email messages.
>
> A message from owner-politech () politechbot com entitled "FC: "Snow White"
> virus seems to be spreading via spam" addressed to you has been placed in
> quarantine. Mailsweeper detected that the email contains a potentially
> damaging Visual Basic script.
>
> If you know the sender and trust the content of the attachment, please
> contact the Support Centre to have it released.
>
> If you take no action the message will be deleted in 30 days time.
***********
From: "Erich Moechel" <me () quintessenz at> To: declan () well com Date: Thu, 30 Nov 2000 13:08:45 +0100 Subject: Re: FC: "Snow White" virus seems to be spreading via spam On 29 Nov 00, at 23:54, Declan McCullagh added to the bitstream: > A new Windows virus or worm appears to be spreading through spam. I > received two copies of the below "Snowhite and the Seven Dwarfs" joke > today. Attached to it was a file called "joke.exe" that Wired's email > scanner (AMaViS, at amavis.org) flagged with this error message: "Our > viruschecker found a VIRUS in your email" Declan, I received this .exe as well two days ago. It was directed not 2 my own adress but 2 my newsletter-list. Nobody else seems 2 know it, right know I have people from kaspersky's gang avp.com analyzing ur exemplar. I deleted mine but it was exactly the same text & .exe as u described. No idea idea whats in it. Heard about yesterday's "Afeto"? Worm/Macrovirus combination in a *very* clever disguise. cu Erich
***********
Date: Thu, 30 Nov 2000 08:25:43 -0500 (EST) From: Bob Broedel <bro () met fsu edu> To: declan () well com Subject: re: snow white =================================================================== Forum : news.admin.net-abuse.email Subject: Re: Snow white? Date : 11/28/2000 Author : Patricia A. Shaffer <ramsa () swva net> Read about the W32.Hybris Internet worm here ... http://www.viruslist.com/eng/viruslist.asp?id=4112&key=00001000130000100044 The sender is probably unaware that he has been infected. Hybris gathers e-mail addresses from incoming and outgoing data, waits for awhile, then sends itself to those addresses. The best thing to do is to notify postmaster@ (whatever the sending domain name is) and ask them to notify the user. Note that the attachments can have various names. These are the names listed at the above site (asterisks for the ones I have received so far) enano.exe enano porno.exe blanca de nieve.scr enanito fisgon.exe sexy virgin.scr* joke.exe* midgets.scr dwarf4you.exe* blancheneige.exe sexynain.scr blanche.scr nains.exe branca de neve.scr* atchim.exe* dunga.scr anso porn/.scr* [actually anao porno.scr] -- Patricia "Anti-spammers are the immune system of the Internet." (CDR M. Dobson) "The spam wars are about rendering email useless for unsolicited advertising before unsolicited advertising renders email useless for communication."(Walter Dnes/Jeff Wynn) Opt-out is cop-out! <http://www.cauce.org>
***********
Date: Fri, 01 Dec 2000 09:00:47 -0800
To: list <cypherpunks () openpgp net>
From: Bill Stewart <bill.stewart () pobox com>
Subject: Two MS mail viruses - SnowWhite and ShockwaveFlash
Cc: declan () well com
Well, we've got two gifts from Microsoft's email architecture
going around this week. Not only is there the Snow White thing,
but there's a Shockwave Flash thing that's spreading around as well.
I don't know if it autoexecutes on Outlook, or if it's just an
IBM-Christmas-Tree attack that entices users to click on it,
but either way, don't be surprised if you get attachments
sent to real email programs, and don't be surprised if email
to/from big corporations using Exchange gets doggy for a while.
There's more information on the Shockwave thing at vil.nai.com
Thanks!
Bill
Bill Stewart, bill.stewart () pobox com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
*********** ------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: More on "Snow White" worm, identified as Hybris.B/Hybris.C Declan McCullagh (Dec 05)