|
| Name: | Hybris |
| Aliases: | TROJ_HYBRIS, I-Worm.Hybris, Hybris 1435, W32/Hybris@M, TROJ_HYBRIS.1435, Win32.Hybris.Gen, Hybris.A, W32/Hybris-B, W32.Hybris.22528.dr, Snowhite, W32/Hybris-Drop, |
| Ports: | 25 |
| Files: | Dwarf4you.exe - 23,040 bytes Midgets.scr - 23,040 bytes Anoafpan.exe - 23,040 bytes Fidgfnik.exe - 23,040 bytes Blanche.scr - 23,040 bytes Sexy virgin.scr - 23,040 bytes Wininit.ini - Wsock32.dll - "any file".ex$ - - 28,672 bytes |
| Created: | Sept 2000 |
| Requires: | N/A |
| Actions: | Worm / Virus / Mail trojan |
| | The worm patches Wsock32.dll. Hybris spreads to every address in Outlook. It always check the language version on the computer and is able to use messages in English, French, Spanish and Portuguese. When spread, the worm changes the name of the .exe file to another 8 characters. It exists at least 32 different plug-ins giving the worm various functions. The plug-ins are encrypted using an asymmetric 128-bit key algarythm and are downloaded från the newsgroup alt.comp.virus together with new encrypted instructions. One of the plug-ins makes Hybris to search for SubSeven infected computers on the Internet and infect them. The worm also probes into .zip and .rar archives, names .exe files to .ex$ and copies itself into the archive using the altered file´s name. |
| Versions: | A, B, C, D, |
| Registers: | HLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_CU RRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ |
| Notes: | Works on Windows 95, 98 and NT, together with MS Outlook. |
| Country: | written in Brazil |
| Program: | N/A |
 Using the Process Monitor from AATools, you will see whether any foreign
programs are running on your computer. If you find some unwanted program, you
can terminate it by clicking the 'Terminate Process' button on the Toolbar.
Using the AATools Network Monitor, you can see what ports are in use on
your local PC for connection with remote systems (LAN/Internet). On Windows
NT/2000/XP the Network Monitor will display you the services that are active on
the ports, and map the ports to their respective applications. If you register
port probes directed against ports that are normally not used, it is possible
that someone is trying to connect to a Trojan inside your network. Using the
Registry Cleaner (Startup section) from AATools, you will see
the list of programs that are registered under Run, RunOnce, RunOnceEx and
RunService registry keys. So you can find out what programs are started behind
your back. You should check these programs to see they are legitimate ones but
not Trojans programs.
0-C | D-H | I-N
| O-S | T-Z
If you have any questions or information about ports used by Trojans not
listed above, please contact us. |
