LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] [ot] Anti-virus question regarding Hybris worm

[ILUG] [ot] Anti-virus question regarding Hybris worm

Justin Mason jm at jmason.org
Thu Nov 16 16:39:03 GMT 2000 

This is marginally Linux-related.  In fact it's more sysadmin-related than
Linux...  anyway, take a read of this:

http://www.sophos.com/virusinfo/analyses/w32hybrisc.html 

  W32/Hybris is a worm capable of updating its functionality over the
  internet. 

  It consists of a base part and a collection of upgradeable components. The
  components are stored within the worm body encrypted with 128-bit strong
  cryptography. 

  When run, the worm infects wsock32.dll. Whenever an email is sent, the
  worm attempts to send a copy of itself in a separate message to the same
  recipient. 

  The text of the email message is determined by one of the installed
  components, and hence can be changed by the upgrading mechanism detailed
  below. 

  The methods for upgrading the worm can also be changed as they are also
  upgradable components. At the time of writing, two have been seen. 

  One of the upgrading techniques attempts to download the encrypted
  components from a website which is presumably operated by the worm author.
  This website has since been disabled. However, this component could be
  upgraded to have a different web address. 

  The other method involves posting its current plug-ins to the usenet
  newsgroup alt.comp.virus, and upgrading them from other posts by other
  infections of the worm. These are again in the encrypted form, and have a
  header with a four character identifier and a four character version
  number, in order for the worm to know which plug-ins to install. 

  [...]

So my question is -- how does it access news?  Any simple way to block the
automatic updates (if it gets through) apart from killing port 119?

--j.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell