Kaspersky Labs VIRUS WARNING

Kaspersky Labs sent out a notice concerning a new virus that is "in the wild" today. Dubbed Hybris, the new Outlook worm can cause serious damage to a users computer, and is very advanced for virus writing. To quote the notice "'What we have here is perhaps the most complex and refined malicious code in the history of virus writing," from Eugene Kaspersky, Head of Company Anti-Virus Research Center.

Hybris: The Story Continues
New dangerous versions of the virus have been detected "in the wild"

Moscow, Russia, November 13, 2000 - Kaspersky Lab, an international
data-security software-development company, warns users of the discovery of
Hybris, a new Internet-worm. Kaspersky Lab has been receiving reports of the
discovery of this virus "in the wild" worldwide, being particularly active
in Latin America although infections by this virus have also been found in
Europe.

The first version of this Internet worm was discovered by Kaspersky Lab and
several other anti-virus software developers at the end of September and was
classified as a low risk malicious program. However, within the last few
days, the company has been inundated by reports from users whose computers
have been infected by this virus. At this moment, Kaspersky Lab has
discovered five versions of Hybris, and it is expected that new variations
will be found in the near future.
The Internet worm Hybris spreads by attaching itself to infected e-mails and
works only under MS Windows. When the recipient executes the attached file,
Hybris infects the host PC. The procedure for infection is typical for this
type of malicious program and is performed in a similar way to the Happy or
MTX viruses.

To proliferate, the worm infects the WSOCK32.DLL library and also intercepts
the Windows function that establishes the network connection; it then scans
sent and received data for any e-mail addresses, and sends copies of itself
to these e-mail addresses. Subject, text and name of the attached file are
chosen randomly, for example:

From: Hahaha [email protected]
Subject: Snowhite and the seven Dwarfs - The REAL Story!
Attachment: dwarf4you.exe

In addition, this worm has some specific features. Hybris contains several
(up to 32) components (plugins) in its code and executes them depending on
its needs. The worm's functionality is mostly defined by the plugins. They
are stored in the body of the worm and are encrypted by a very strong crypto
algorithm.

However, the main peculiarity is that Hybris maintains the functionality of
the plugins: it sends its own components to the anti-virus conference
"alt.comp.virus" and downloads from there any upgraded or missing plugins.
The virus components can also be updated by the worm from the author's Web
page, via the Internet. So far, plugins found in the known versions of this
virus and those at the Web site are fairly harmless and do not cause any
direct damage. But, the fact that they can be updated means that they may be
given completely different functions, for example, installing a Trojan horse
backdoor. Although there have previously been some cases when a malicious
program has been updated from the Internet, this is the first time it has
occurred on this scale "in the wild."

'What we have here is perhaps the most complex and refined malicious code in
the history of virus writing," comments Eugene Kaspersky, Head of Company
Anti-Virus Research Center. "Firstly, it is defined by an extremely complex
style of programming. Secondly, all the plugins are encrypted with very
strong RSA 128-bit crypto-algorithm key. Thirdly, the components themselves
give the virus writer the possibility to modify his creation "in real time,"
and in fact allow him to control infected computers worldwide."

Protection procedure against the Internet worm Hybris and its versions have
now been added to anti-virus databases of Kaspersky Anti-Virus (AVP).

Learn more by visiting http://www.kaspersky.com/.