On Thu, 25 Jan 2001, Paul Russell wrote: >The Hybris virus infects one or more network components on Windows 95, 98, >and NT systems. The infected component is always in use when Windows is >active, making it difficult to disinfect the system using only anti-virus >software which runs under Windows. The virus works by intercepting all >network traffic (email, web, telnet, ftp, etc.) to and from the infected >system, scanning for strings which appear to be email addresses, and >sending copies of itself to those addresses. If a list subscriber is using >an infected machine, copies of the virus might be sent to the list address, >the list owner address, and any subscriber addresses which appear in email >messages or in the list archives. > >I have seen hundreds of carrier messages for this virus in the past several >weeks, each with a null envelope sender (return-path) address, a "from" >address of <[log in to unmask]>, and a subject line and message body which >make it appear that the message is a lewd joke about Snow White and the >Seven Dwarfs. While the "from" address, subject line, and message text do >not change, the filename of the attachment may vary, even on messages sent >from the same infected system. Yes, that has been circulating for some time now, and I have gotten several of these messages, two from infected users on a mailing list (which had a return-path of the mailing list "bounce" address) and one from an infected user on this campus (which had a null return-path). This was different. The first message was totally blank, with the "From:" changed to "<listname>-owner" instead of the person whose name is normally attached to these messages, and no "To:" address at all. The return-path was the list "bounce" address. The second message, the one with the virus (named in this case "DMCAHBDM.EXE") had a null From: address, a subject address of only the list's subject tag, and no "To:" address at all. The return-path was once again the list "bounce" address. I will take the listowner's word for it that the attachment was the Hybris worm, as I am less than enthusiastic about extracting it to my hard disk in order to test it with my own anti-virus software. The base64 code in that message is about the same size as the base64 code in the other infected messages I've gotten. The routing headers in the first message were as they always are. A close look at the routing headers on the second message leads to the inescapable conclusion that it was a forgery sent to the list address. I don't think that the person who actually sends those once-a-week newsletter messages either lives in Israel or uses an Israeli ISP. So I think that rather than this worm being inadvertantly sent to the list by an infected listowner, that it was a deliberate attempt to infect the subscribers of the list by a malicious human being. For the worm to do this on its own it would have had to forge the headers itself. I think the intent of my first message, to let people know that not only is this kind of thing possible, but that it in fact happened, is still relevant. > >The null envelope sender address makes it difficult to block these messages >at the mail server level, unless the mail server is doing virus detection >or other forms of content filtering, however, the constant "from" address >can be filtered by LISTSERV, either at the site level or the list level. This message had no "from" address whatever. Since, however, I don't think it was sent directly by the virus, the assumption above is probably still basically true. Dennis > >Most, if not all, anti-virus software vendors have detailed information >about the Hybris virus on their web sites. > >-- >Paul Russell >Senior Systems Administrator >University of Notre Dame >