Virus

W32/Hybris.D@mm

Analysis

  • Virus is 32bit, with a size of 25,088 bytes and is compressed
  • When executed, this virus will copy itself as a randomly assigned name to the Windows\System folder and modify the registry to load this file at Windows startup
  • Virus will attempt to patch WSOCK32.DLL, monitor email retrieval and sending events in an attempt to collect email addresses and send a copy of the virus to recipients tracked
  • Virus has the ability to monitor a newsgroup feed for binary updates or patches, which can alter the code and functionality of the virus - the feeds are no longer being posted however
  • Virus has ability to retrieve update patches from Internet web sites related to the virus author, which can alter the code and functionality of the virus - the updates are no longer available
  • Virus arrives as an attachment from infected users most commonly in this format -

    From: hahaha@sexyfun.net
    Subject: Snow White and the Seven Dwarfs - The REAL Story!
    Attachment: dwarf4you.exe

    *The email content is dependent on the host operating system language.

  • Virus contains the string -
    "HYBRIS"
    near the top of an infected file

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option