On Thu, 25 Jan 2001, Paul Russell wrote:
>The Hybris virus infects one or more network components on Windows 95, 98,
>and NT systems. The infected component is always in use when Windows is
>active, making it difficult to disinfect the system using only anti-virus
>software which runs under Windows. The virus works by intercepting all
>network traffic (email, web, telnet, ftp, etc.) to and from the infected
>system, scanning for strings which appear to be email addresses, and
>sending copies of itself to those addresses. If a list subscriber is using
>an infected machine, copies of the virus might be sent to the list address,
>the list owner address, and any subscriber addresses which appear in email
>messages or in the list archives.
>
>I have seen hundreds of carrier messages for this virus in the past several
>weeks, each with a null envelope sender (return-path) address, a "from"
>address of <[log in to unmask]>, and a subject line and message body which
>make it appear that the message is a lewd joke about Snow White and the
>Seven Dwarfs. While the "from" address, subject line, and message text do
>not change, the filename of the attachment may vary, even on messages sent
>from the same infected system.
Yes, that has been circulating for some time now, and I have gotten
several of these messages, two from infected users on a mailing list
(which had a return-path of the mailing list "bounce" address) and one
from an infected user on this campus (which had a null return-path).
This was different.
The first message was totally blank, with the "From:" changed to
"<listname>-owner" instead of the person whose name is normally
attached to these messages, and no "To:" address at all. The
return-path was the list "bounce" address.
The second message, the one with the virus (named in this case
"DMCAHBDM.EXE") had a null From: address, a subject address of only
the list's subject tag, and no "To:" address at all. The return-path
was once again the list "bounce" address.
I will take the listowner's word for it that the attachment was the
Hybris worm, as I am less than enthusiastic about extracting it to my
hard disk in order to test it with my own anti-virus software. The
base64 code in that message is about the same size as the base64 code
in the other infected messages I've gotten.
The routing headers in the first message were as they always are. A
close look at the routing headers on the second message leads to the
inescapable conclusion that it was a forgery sent to the list address.
I don't think that the person who actually sends those once-a-week
newsletter messages either lives in Israel or uses an Israeli ISP.
So I think that rather than this worm being inadvertantly sent to the
list by an infected listowner, that it was a deliberate attempt to
infect the subscribers of the list by a malicious human being. For
the worm to do this on its own it would have had to forge the headers
itself.
I think the intent of my first message, to let people know that not
only is this kind of thing possible, but that it in fact happened, is
still relevant.
>
>The null envelope sender address makes it difficult to block these messages
>at the mail server level, unless the mail server is doing virus detection
>or other forms of content filtering, however, the constant "from" address
>can be filtered by LISTSERV, either at the site level or the list level.
This message had no "from" address whatever. Since, however, I don't
think it was sent directly by the virus, the assumption above is
probably still basically true.
Dennis
>
>Most, if not all, anti-virus software vendors have detailed information
>about the Hybris virus on their web sites.
>
>--
>Paul Russell
>Senior Systems Administrator
>University of Notre Dame
>
|
