Heads up, Just received a virus....

From: Rikk Rogers (rkltd@swbell.net)
Date: Tue Nov 21 2000 - 12:07:30 PST

Next message: John Doherty: "RE: M43 Ambulance for sale"
Previous message: pendleto@usit.net: "M-36 truck mount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I missed who it came in from, last 2 came from list members so here it is.

W32.Hybris.Gen, contained in file called Joke.Exe.

Known info:

Technical description <http://www.symantec.com/avcenter/refa.html>:
When the worm attachment is executed, the WSOCK32.DLL file will be modified
or replaced. This will give the worm the ability to attach itself to all
outbound email. The email attachment will have a random name but the
filename extension is either EXE or SCR).

The worm attempts to connect to the newsgroup alt.comp.virus. After it
connects successfully, the worm uploads its own plug-ins in an encrypted
form to this newsgroup. It goes thru the subject header of the messages, and
tries to match a specific format. The subject header will also specify the
version number of the attached plug-in if these plug-ins are indeed present.
If a newer version of plug-ins is found, the worm downloads these modules
and updates its behavior. For example, there are known modules that give the
worm ability to infect compressed files like ZIP.

If WSOCK32.DLL is being used by the system, the worm will be unable to
modify this file. Thus, in this situation, the worm will add a registry key
to one of the following subtrees:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
It will always alternate between these two trees mentioned above as the worm
spreads from one machine to another. The worm hooks on the following exports
on WSOCK32.DLL: send(), recv(), connect(). Whenever a user sends out an
email to a person, the worm will also send out another email to the same
person attaching a copy of itself using a randomly generated filename.
Removal <http://www.symantec.com/avcenter/refa.html>:
Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files
detected as W32.Hybris contain only the virus body and must be deleted.

Rikk Rogers - RK Lion LTD.
416 S 4th St
Ponca City OK. 74601-5335
(580)762-3157 rkltd@swbell.net
http://home.swbell.net/rkltd/
-M35A2- MVPA -22345-

Next message: John Doherty: "RE: M43 Ambulance for sale"
Previous message: pendleto@usit.net: "M-36 truck mount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Dec 03 2000 - 20:29:56 PST