LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Hybris virus: Sleeper hit of 2001
From:	Peter Altschul <[log in to unmask]>
Reply To:	Peter Altschul <[log in to unmask]>
Date:	Fri, 12 Jan 2001 23:52:05 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (131 lines)

FYI.

+== acb-l Message from "Brice mijares" <[log in to unmask]> ==+
Hybris virus: Sleeper hit of 2001
Computer worm shows no signs of slowing down
By Robert Lemos ZDNN
Jan. 11 -
Hybris, a computer worm that uses encrypted plug-ins to update itself, could
be the
sleeper hit of 2001, anti-virus experts say.
AdConDown(document.frmAdGifts.catId);
       "IT'S NOT A fast mailer or a mass mailer. It's slow and subtle," said
Roger
Thompson, technical director of malicious-code research for security firm
TruSecure.
But "slow and steady wins the race."
       The spread of most computer worms tends to spike quickly and just as
quickly
die out. But the 3-month-old Hybris worm shows no sign of dying anytime
soon, Thompson
said.
       He compared the virus to Happy99.exe, also known as Win32/Ska, a
malicious
program that started spreading in January 1999 and remained a threat to the
unwary
for more than a year.
       Like Happy99, the Hybris worm spreads by monitoring a PC's network
connection
for e-mail messages. When a message is detected, the worm will add the
addresses
found in the e-mail's header to a list. Later, Hybris selects destinations
from the
list to which it sends copies of itself.
       Instead of the avalanche of e-mail messages created by viruses such
as Melissa
and LoveLetter, Hybris produces a steady trickle of virulent e-mail, making
it less
noticeable.
       Another point in the worm's favor: It's written as a 32-bit Windows
program,
not in a scripting language as was LoveLetter or Melissa, said Vincent
Gullotto,
director of the anti-virus emergency research team at security firm Network
Associates.
       "It is a hard one to kill, like most Win32 infectors," he said.
"Anything
that uses Win32 infects the PC very quickly. It can infect hundreds of files
in a
matter of seconds."
       Hybris' combination of slow spread and fast infection seems to have
worked.
       First detected in October 2000, the worm has remained on the top-10
list of
worldwide infectors, according to statistics from Trend Micro's Worldwide
Virus Tracking
page. For the past week, the virus has been rated as the No. 4 most
prevalent virus
in the United States, as measured by the number of PCs infected, and No. 9
worldwide.
       While Trend's statistics only take into account a small percentage of
incidences
worldwide, it is one of the few quantitative gauges of virus activity.
DANGEROUS PLUG-INS
       One factor that hasn't helped Hybris spread itself widely is its use
of encrypted
plug-ins, anti-virus experts said.
       Like the Babylonia, LoveLetter and MTX viruses, the Hybris virus can
access
information across the Internet-in this case, from the alt.comp.virus Usenet
group-and
modify itself. That makes it different from the other viruses, said Nick
FitzGerald,
a New Zealand-based security consultant and virus researcher.
       "Hybris changes shape by finding and incorporating different
extensions into
its code and mailing that new form to other potential victims," he said.
       Typically, the anti-virus community would shut down the site that
hosted such
plug-ins, but because their own newsgroup is being used to publish the code,
they
can't shut it down without hurting their own ability to fight viruses.
       Anti-virus experts believe the author of the virus is the same one
who created
the Babylonia virus, a concept virus that "phoned home" to a Japanese Web
site known
as the Source of Chaos and updated itself using files found on the site.
       The name of the author, known as Vecna, appeared in a copyright
notice in
Hybris. Security firm Aladdin Knowledge Systems announced on Tuesday that
they had
proof that the virus had been created by the so-called VX-Brazil group. They
claim
that Vecna is a member of that group.
       Hybris' ability to change how it works and its signature makes the
worm potentially
very dangerous.
       Depending on which plug-ins it downloads, the worm could morph into a
backdoor
through a PC's security or into a malicious program that corrupts data. At
present,
at least eight plug-ins are known to exist.
       "At some point, (the writer) could easily have control of a large
number of
PCs," said TruSecure's Thompson, who added that companies don't have much to
worry
about, as their network administrators usually update virus definitions
often enough
to keep up with any changes to Hybris.
       Home computer users need to update their virus scanners frequently
and treat
e-mail attachments with suspicion, he said.
© 2001 ZD Inc. All Rights Reserved. ZDNet and ZDNet logo are registered
trademarks
of ZD Inc. © 2000 Ziff Davis Media. All Rights Reserved.



************************************************************
* ACB-L is maintained and brought to you as a service      *
* of the American Council of the Blind.                    *
************************************************************ 


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG