Re: Hybris Worm

[Brett Glass <brett () LARIAT ORG>]

The "name" of the box means nothing. It's just the name that
the worm's built-in SMTP mailer included in the HELO command it
transmitted to your mail server. I've trapped hundreds of
copies of Hybris, and in most of them this is a bogus string.
Now and then it will be the name given to the machine for
Windows networking. I haven't analyzed the Hybris code, so I'm
not sure if the differences are the result of mutation, add-on
"modules," or a randomizing routine in the worm code. I do
know that some ISPs (uswest.net in particular) have rigged
their mail servers to substitute the sender's user ID for
the string in the HELO command. This makes it possible to
identify the sender.

Hybris is a nasty worm because it's often hard to identify the
sender and get him or her to disinfect. If I can't tell who
the sender was (which is what happens most of the time), I
send a message to the sender's ISP, asking them to check the
logs, find out who was at the listed IP at that tiime, and
give him or her a call.

--Brett

At 06:18 PM 2/3/2001, Gilbert Alaverdian wrote:

> Howdy,
>
> I also just received a file called AJPIIDAJ.EXE.
> Its 23,040 bytes in size - larger than what Peter Harkins was sent (20,340
> - maybe a typo?)
>
> notice the name of the guys's box that sent it....
>
> --------------------------
> X-Persona: <gilbert.a@neo>
> Received: from hacker (ppp-171-74.30-151.libero.it [151.30.74.171])
>          by xticket (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP
>          id IAA00042 for <gilbert.a () neo net au>; Sat, 03 Feb 2001 08:01:46 -0800
> Date: Sat, 03 Feb 2001 08:01:46 -0800
> Message-Id: <200102031601.IAA00042@xticket>
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="--VEJS9Q7KLYBGHYBK5"