What
is Hybris Virus and How Did I Get It?
The Hybris virus is a worm that spreads itself
by sending e-mail messages. Its commonly referred
to as the "Snow White and the Seven
Dwarfs" worm because it spreads via an email
looking similar to the one below:
On 1/11/01 at 7:58 PM Hahaha <hahaha@sexyfun.net>
wrote:
Today, Snowhite was turning 18. The 7 Dwarfs
always where very educated and polite with
Snowhite. When they go out work at mornign, they
promissed a *huge* surprise. Snowhite was
anxious. Suddlently, the door open, and the
Seven Dwarfs enter...
Along with the email are any of the following
attachments:
anão pornô.scr
atchim.exe
blanca de nieve.scr
blanche.scr
blancheneige.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enanito fisgon.exe
enano porno.exe
enano.exe
joke.exe
midgets.scr
nains.exe
sexy virgin.scr
sexynain.scr
and other similar ones...
Opening the attachment, starts the worm and
infects the system. It corrupts WSOCK32.DLL,
which needs to be replaced to repair the damage,
and creates some randomly named files in the
C:\WINDOWS\SYSTEM directory similar to the ones
below:
FEIDGFNI.LOE
QASDFUYT.SGE
WESATESZ.IPG
This worm patches the
WSOCK32.DLL file in the Windows\System folder.
When it is executed, it modifies the WSOCK32.DLL
file and adds its virus code onto it. Then it
sends emails similar to the ones at the top of
this document.
Signs
of infection
Hyris is one of the few worms that can
download "plugins". It does this by
making NNTP connections to one of a list of news
servers in a list, and reading the newsgroup
alt.comp.virus, where plugins are posted. It can
also post any plugins on an infected system to
alt.comp.virus, as the plugins are not
transmitted along with the worm via e-mail.
Depending on what plugins are on an infected
system, you may notice some or all of the
following occuring:
Altered ZIP and RAR archives where EXE files
have been renamed to have an extension of .EX$,
and a copy of Hybris replacing the original
filename.
Scanning other machines, and infecting
machines that have the SubSeven backdoor on them.
Affecting EXE files on the local system so
that they become "droppers" of the
worm. This can cause re-infection of a system
after you think you have eradicated the worm.
Display a back and white "spiral" on
the screen on the 59th minute of each hour,
starting in 2001.
Here is a list of
known plugins for the virus:
HTTP.DAT, NEWS.DAT,
AVINET.DAT, ENCR.DAT, PR0N.DAT, SPIRALE.DAT ,
SUB7.DAT, AND DOSEXE.DAT.
How
to Remove the Hybris Virus?
Using Spyware Doctor
to detect and remove Trojan.Hybris AUTOMATICALLY!
Manual Removal:
Because of the
nature of the virus and the various plug-ins
associated with the virus, manual removal of it
really isn't possible. To clean the virus from an
infected system. Use this basic gameplan below:
- Restore the corrupted WSOCK32.DLL file so that
the virus stops sending emails and causing havoc
and unexpected errors in your computer. Follow
the steps below to restore the file from Windows
95 or 98
To restore
WSOCK32.DLL in Windows 95
- Click the START
MENU|SHUT DOWN choose RESTART IN MS-DOS MODE.
- Type:
EXTRACT /A
C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB
WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
Insert your Windows 95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL
/L C:\WINDOWS\SYSTEM
Where D: is your CD-ROM drive
To restore
WSOCK32.DLL in Windows 98
- Click the START
MENU|RUN, type SFC and click OK.
- Choose Extract One
File from the installation disk
- Type:
C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and
click START.
- In the Restore
From box type C:\WINDOWS\OPTIONS\CABS or
browse the Windows 98 directory on your
Windows 98 CD-ROM. This is usually found on
the CAB file named "PRECOPY1.CAB"
- Click OK and
follow remaining prompts.
or
- Click the START
MENU|SHUT DOWN choose RESTART IN MS-DOS MODE.
- Type:
EXTRACT /A
C:\WINDOWS\OPTIONS\CABS\PRECOPY1.CAB
WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
Insert your Windows 98 CD-ROM and type:
EXTRACT /A D:\WIN98\PRECOPY1.CAB
WSOCK32.DLL /L C:\WINDOWS\SYSTEM
Where D: is your CD-ROM drive
- Reboot your computer into Windows and do one of
the following:
Log onto the
Internet, update
your current antivirus software, and run a
complete scan of all your hard drives. If you
do not know which anti-virus software can
provide strong protection for you, Kaspersky Internet Security is recommended.
Detection and Removal Instructions for Trojans
| 
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)