Security Incidents mailing list archives
Re: Hybris Worm
From: Brett Glass <brett () LARIAT ORG>
Date: Sat, 3 Feb 2001 19:36:58 -0700
The "name" of the box means nothing. It's just the name that the worm's built-in SMTP mailer included in the HELO command it transmitted to your mail server. I've trapped hundreds of copies of Hybris, and in most of them this is a bogus string. Now and then it will be the name given to the machine for Windows networking. I haven't analyzed the Hybris code, so I'm not sure if the differences are the result of mutation, add-on "modules," or a randomizing routine in the worm code. I do know that some ISPs (uswest.net in particular) have rigged their mail servers to substitute the sender's user ID for the string in the HELO command. This makes it possible to identify the sender. Hybris is a nasty worm because it's often hard to identify the sender and get him or her to disinfect. If I can't tell who the sender was (which is what happens most of the time), I send a message to the sender's ISP, asking them to check the logs, find out who was at the listed IP at that tiime, and give him or her a call. --Brett At 06:18 PM 2/3/2001, Gilbert Alaverdian wrote:
Howdy, I also just received a file called AJPIIDAJ.EXE. Its 23,040 bytes in size - larger than what Peter Harkins was sent (20,340 - maybe a typo?) notice the name of the guys's box that sent it.... -------------------------- X-Persona: <gilbert.a@neo> Received: from hacker (ppp-171-74.30-151.libero.it [151.30.74.171]) by xticket (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP id IAA00042 for <gilbert.a () neo net au>; Sat, 03 Feb 2001 08:01:46 -0800 Date: Sat, 03 Feb 2001 08:01:46 -0800 Message-Id: <200102031601.IAA00042@xticket> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VEJS9Q7KLYBGHYBK5"
Current thread:
- Hybris Worm Gilbert Alaverdian (Feb 03)
- Re: Hybris Worm Brett Glass (Feb 04)
- Re: Hybris Worm gabriel rosenkoetter (Feb 04)
- Re: Hybris Worm PRESSO-CERT (Feb 04)