Hybris Worm

[Gilbert Alaverdian <gilbert.a () NEO NET AU>]

Howdy,

I also just received a file called AJPIIDAJ.EXE. 
Its 23,040 bytes in size - larger than what Peter Harkins was sent (20,340
- maybe a typo?)

notice the name of the guys's box that sent it.... 

--------------------------
X-Persona: <gilbert.a@neo>
Received: from hacker (ppp-171-74.30-151.libero.it [151.30.74.171])
          by xticket (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP
          id IAA00042 for <gilbert.a () neo net au>; Sat, 03 Feb 2001 08:01:46 -0800
Date: Sat, 03 Feb 2001 08:01:46 -0800
Message-Id: <200102031601.IAA00042@xticket>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEJS9Q7KLYBGHYBK5"

Attachment Converted: "c:\temp\AJPIIDAJ.EXE"

--------------------------
Content-Type: multipart/mixed; boundary=" ^èÓ
  èÝ
  OO¸"
 «OèÉ
  ‹$…ÀuPè1   Content-Type: text/plain; charset="us-ascii"

 ^è}
  ‹t$èt
  f¸
f«èr
  è/   Content-Type: application/octet-stream; name=" ^è/
  ‹t$Æ ø
è 
  èR   "
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=" 
--------------------------


Also found these straight from the binary:

MIME-Version: 1.0
RCPT TO:
.EXE
KIEBGFCO HYBRIS
h32.DhWS2_T
RSET
smtp
354
250
http
GetModuleHandleA  KERNEL32.dll
INI hNIT.hWINIT


"Jay D. Dyson" <jdyson () TREACHERY NET> also found the smtp mailing feature. 

Looks more like a worm than a trojan. I guessing it was a .vbs file
compiled into an .exe which does the same thing but used for non-microsoft
email programs which dont support .vbs extensions.

If anyone would like a copy for further analysis, its up at

http://www.neo.net.au/ajpiidaj.exe

After writing this, just found the correct link to f-secure describing the
worm.
http://www.europe.f-secure.com/v-descs/hybris.shtml

Regards,

Gilbert Alaverdian
Senior Security Consultant
Neo Corporation Pty Limited
http://www.neo.net.au