"Low risk" worm could squirm into trouble

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-3726171.html?tag=st.ne.1002.thed.ni

By Paul Festa
Staff Writer, CNET News.com
November 16, 2000, 11:35 a.m. PT

Is it a worm or a chameleon?

Antivirus companies say a worm called Hybris carries no destructive
payload and is relatively harmless. But because it is written so that
it can update itself as it spreads, some caution that it could still
prove to be a menace.

The worm comes as an email attachment that, when opened, replaces a
file on the recipient's computer called "WSOCK32.DLL," a dynamic
linking library. DLLs are files that application programmers use to
share code among various Windows applications. Once it has replaced
the DLL, Hybris monitors outgoing email and distributes copies of
itself to recipients, randomly generating the name of the attached
payload.

The worm's chameleon-like nature stems from its ability to download
encrypted components from the Internet in a method first introduced by
the W95/Babylonia worm, according to antivirus company McAfee.
Babylonia is a Brazilian virus discovered last year after it was
posted to a newsgroup in the guise of a help file, which also
downloaded components from the Internet.

The Web site where those components originated was quickly shut down,
according to McAfee.

Hybris is updating its components from the "alt.comp.virus" newsgroup,
as well as from a Web site, antivirus company Kaspersky Lab wrote in
an alert.

Kaspersky warned that the replacement of certain components could turn
Hybris from harmless to hazardous.

"What we have here is perhaps the most complex and refined malicious
code in the history of virus writing," Eugene Kaspersky, the head of
Kaspersky Lab, said in a statement. "Firstly, it is defined by an
extremely complex style of programming. Secondly, all the plugins are
encrypted with very strong RSA 128-bit crypto-algorithm key. Thirdly,
the components themselves give the virus writer the possibility to
modify his creation 'in real time,' and in fact allow him to control
infected computers worldwide."

But security experts said that Hybris' technical edge might not
guarantee it any success in the wild.

"A high degree of sophistication does not necessarily make a virus
successful," Elias Levy, analyst at SecurityFocus.com, wrote in an
email interview. "Many dumb viruses have caused more damage than the
really technically interesting articles. There are many factors that
determine whether a worm/virus is successful and we don't know what
they all are."

McAfee recommended that people delete unexpected attachments to
prevent further spread of the worm, which it rated "low risk."

According to antivirus firm Trend Micro, which also rated Hybris "low
risk," the infected message reads: "Today, Snowhite was turning 18.
The 7 Dwarfs always where very educated and polite with Snowhite. When
they go out work at mornign, they promissed a *huge* surprise.
Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs
enter..." (sic)

Kaspersky said reports of Hybris had stepped up since its discovery in
September, particularly in Latin America, and to a lesser extend in
Europe as well.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".