Hybris
is a classical wsock32.dll infector. Once installed on a system, usually
after a reboot, it uses winsock to monitor network connections and spread
by e-mailing itself under a name randomly chosen in a list.
Here
is what a typical Hybris message looks like.
What
makes Hybris special is that it is able to update itself by downloading
authenticated encrypted plugins from the internet, particularly the alt.com.virus
usenet newsgroup. In
theory, the virus could use these plugins to mutate, acquire new payloads
and escape detection. The screen capture below shows a few of those plug-ins
being automatically posted on the alt.comp.virus newsgroup.
Finally, here is what
en encrypted Hybris plugin looks like.
Hybris
has been reported in the wild in Belgium and Luxembourg.
DataRescue 45
quai de la Dérivation 4020 Liège (Belgium) tel
32-4-3446510 fax 32-4-3446514 Please send us
your questions or comments.
Hybris
is a classical wsock32.dll infector. Once installed on a system, usually
after a reboot, it uses winsock to monitor network connections and spread
by e-mailing itself under a name randomly chosen in a list.
