This is marginally Linux-related. In fact it's more sysadmin-related than
Linux... anyway, take a read of this:
W32/Hybris is a worm capable of updating its functionality over the
It consists of a base part and a collection of upgradeable components. The
components are stored within the worm body encrypted with 128-bit strong
When run, the worm infects wsock32.dll. Whenever an email is sent, the
worm attempts to send a copy of itself in a separate message to the same
The text of the email message is determined by one of the installed
components, and hence can be changed by the upgrading mechanism detailed
The methods for upgrading the worm can also be changed as they are also
upgradable components. At the time of writing, two have been seen.
One of the upgrading techniques attempts to download the encrypted
components from a website which is presumably operated by the worm author.
This website has since been disabled. However, this component could be
upgraded to have a different web address.
The other method involves posting its current plug-ins to the usenet
newsgroup alt.comp.virus, and upgrading them from other posts by other
infections of the worm. These are again in the encrypted form, and have a
header with a four character identifier and a four character version
number, in order for the worm to know which plug-ins to install.
So my question is -- how does it access news? Any simple way to block the
automatic updates (if it gets through) apart from killing port 119?
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!