Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Email-Worm Win32

Email-Worm.Win32.Hybris

Class
Email-Worm
Platform
Win32

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is an Internet worm that spreads attached to e-mail messages. The worm works under Win32 systems only. The worm contains components (plugins) in its code that are executed depending on the worm's needs, and these components can be upgraded from an Internet Web site.

The major worm versions are encrypted with a semi-polymorphic encryption loop.

The worm contains the text strings:

HYBRIS
(c) Vecna

The Worm Runs

The main worm target on a computer is the WSOCK32.DLL library. While infecting this file, the worm:

  • writes itself to the end of the last file section
  • hooks "connect", "recv", and "send" functions
  • modifies the DLL entry routine address (a routine that is activated when a DLL file is being loaded) and encrypts the original entry routine

If the worm is not able to infect WSOCK32.DLL (in case it is in use and is locked for writing), the virus creates a copy of that library (a copy of WSOCK32.DLL with random name), infects it and writes a "rename" instruction to WININIT.INI file. As a result, WSOCK32.DLL will be replaced with an infected image upon the next Windows startup.

The worm also creates its copy with a random name in the Windows system directory and registers it in the RunOnce registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce    {Default} = %WinSystem%WormName

or 

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce    {Default} = %WinSystem%WormName

where %WinSystem% is the Windows system directory, and "WormName" is a random eight symbols name, for example:

CCMBOIFM.EXE
LPHBNGAE.EXE
LFPCMOIF.EXE

There is only possible reason for registering an additional worm copy in the "RunOnce" registry key: in case WSOCK32.DLL was not infected during the first worm run, and its infected copy was not created because of some reason, the "RunOnce" worm copy will complete the task upon the next Windows restart.

Infected WSOCK32.DLL

The worm intercepts Windows functions that establish a network connection, including the Internet. The worm intercepts data that are sent and received, and scans them for e-mail addresses. When an address(es) is/are detected, the worm waits for some time and then sends an infected message to that/those address(es).

Plugins

The worm's functionality depends on the plugins that are stored in worm body encrypted with a RSA-like strong crypto algorithm with a 128-bit key. There are up to 32 plugins that can be found in different worm versions. These plugins perform different actions that can be updates from a Web page:

http://pleiku.vietmedia.com/bye/

so the complete worm functionality depends only on its host that is able to upgrade plugins on a Web page. The plugins on a page are encrypted with RSA-like crypto too.

The worm also updates its plugins by the using alt.comp.virus newsgroup. The worm, being active on a machine, connects to a news server (by using one of randomly selected servers - there are more than 70 addresses in the list), converts its plugins to newsgroup messages and posts them there. The Worm's messages have a random-like Subject, for example:

encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
text RFRE rebibmTCDOzGbCjSZ

where first four chores are plugin "name" and following four chores are an encoded plugin "version". As well as sending, the worm reads such messages from alt.comp.virus, obtains the plugin "name" and "version" and compares them with plugins that are currently used by the worm. In case the newsgroup has a message with a higher plugin version, the worm extracts it and replaces the existing one. So the worm uses alt.comp.virus to upgrade its plugins.

The worm also creates these plugins as disk files in the Windows system directory. They also have a random name, but the worm keeps being able to access them. The names may look as follow:

BIBGAHNH.IBG
DACMAPKO.ACM
GAFIBPFM.AFI
IMALADOL.MAL
MALADOLI.ALA

There are several different known plugins that:

1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting, the worm renames EXE files in the archive with a .EX$ extension and adds its copy with a .EXE extension to the archive (companion method of infection).

2. Send messages with encoded plugins to the "alt.comp.virus" neewsgroup, and obtains new plugins from there.

3. Spread virus to remote machines that have a SubSeven backdoor Trojan installed. The plugin detects such machines on the Net, and using SubSeven commands, uploads a worm copy to the machine and spawns it in there.

4. Encrypt worm copies with a polymorphic encryption loop before sending the copy attached to an e-mail.

5. Depending on system date and time (on September 16 and 24, and on 59 minute of each hour starting from year 2001 - in known plugins) the "spirale" effect is run.

The plugin creates random 8-bytes .EXE name in Windows system directory, unpacks "spirale effect" EXE code to there, and registers that file in the system:

under Win9x: in WIN.INI file in [windows] "run=" line under WinNT: in system registry in "Run=" key

6. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become to be worm droppers. When run they drop worm EXE file to TEMP directory and execute it.

While affecting DOS EXE file the plugin adds dropper code and worm body to the end of the file. These files are disinfectable.

While affecting Windows PE EXE file the plugin overwrites file code section to get a gap for worm code, and writes worm dropper code to that gap (if is has enough size). The plugin doesn't touch file header (including entry point address), and does not increase file size. Moreover, it has a anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected files: the file length and file body CRC stay the same as on clean file.

When such PE EXE file is run, the dropper code drops and activates the worm, then restores (unpacks) code section and returns control to the host file.

7. Randomly select a Subject, Message text and Attach name while sending the worm copies with e-mail messages:

From:

Hahaha [hahaha@sexyfun.net]

Subjects:

Snowhite and the Seven Dwarfs - The REAL story!

Branca de Neve porn�!

Enanito si, pero con que pedazo!

Les 7 coquir nains

Message texts:

C'etait un jour avant son dix huitieme anniversaire. Les 7 nains, qui avaient aid� 'blanche neige' toutes ces ann�es apr�s qu'elle se soit enfuit de chez sa belle m�re, lui avaient promis une *grosse* surprise. A 5 heures comme toujours, ils sont rentr�s du travail. Mais cette fois ils avaient un air coquin...

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

Faltaba apenas un dia para su aniversario de de 18 aTos. Blanca de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande* sorpresa para su fiesta de compleaTos. Al entardecer, llegaron. Tenian un brillo incomun en los ojos...

Faltava apenas um dia para o seu aniversario de 18 anos. Branca de Neve estava muito feliz e ansiosa, porque os 7 an�es prometeram uma *grande* surpresa. As cinco horas, os an�ezinhos voltaram do trabalho. Mas algo nao estava bem... Os sete an�ezinhos tinham um estranho brilho no olhar...

Attach names:

enano.exe
enano porno.exe
blanca de nieve.scr
enanito fisgon.exe

sexy virgin.scr
joke.exe
midgets.scr
dwarf4you.exe

blancheneige.exe
sexynain.scr
blanche.scr
nains.exe

branca de neve.scr
atchim.exe
dunga.scr
an�o porn�.scr

As well as (depending on the plugin version):

The message Subject is a random combination of:

 Anna             +  sex
 Raquel Darian       sexy
 Xena                hot
 Xuxa                hottest
 Suzete              cum
 famous              cumshot
 celebrity rape      horny
 leather             ... e.t.c.

Attach name:

Anna.exe
Raquel Darian.exe
Xena.exe
Xuxa.exe
Suzete.exe
famous.exe
celebrity rape.exe
leather.exe
sex.exe
sexy.exe
hot.exe
hottest.exe
cum.exe
cumshot.exe
horny.exe
anal.exe
gay.exe
oral.exe
pleasure.exe
asian.exe
lesbians.exe
teens.exe
virgins.exe
boys.exe
girls.exe
SM.exe
sado.exe
cheerleader.exe
orgy.exe
black.exe
blonde.exe
sodomized.exe
hardcore.exe
slut.exe
doggy.exe
suck.exe
messy.exe
kinky.exe
fist-fucking.exe
amateurs.exe

The attached file name may also be a random eight bytes .EXE name, for example:

ADELHHAD.EXE
CFIMMHAG.EXE
DIEOPIDI.EXE
EABLLNEA.EXE
FKPODKFK.EXE
HJEOINHJ.EXE
OGNNFEOG.EXE
PFFCKEPF.EXE

Effect

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
25 June 2025
Securelist
AI and collaboration tools: how cyberattackers are targeting SMBs in 2025
23 June 2025
Securelist
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
11 June 2025
Securelist
Toxic trend: Another malware threat targets DeepSeek
09 June 2025
Securelist
Sleep with one eye open: how Librarian Ghouls steal data by night
06 June 2025
Securelist
Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
05 June 2025
Securelist
IT threat evolution in Q1 2025. Non-mobile statistics
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.