PC Hell: Hybris Trojan Virus Removal Help

Hybris Virus Information and Removal Help
"Snowhite and the Seven Dwarfs virus"

What is Hybris Virus and How Did I Get It?

The Hybris virus is a worm that spreads itself by sending e-mail messages. Its commonly referred to as the "Snow White and the Seven Dwarfs" worm because it spreads via an email looking similar to the one below:

On 1/11/01 at 7:58 PM Hahaha <hahaha@sexyfun.net> wrote:

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

Along with the email are any of the following attachments:

anão pornô.scr
atchim.exe
blanca de nieve.scr
blanche.scr
blancheneige.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enanito fisgon.exe
enano porno.exe
enano.exe
joke.exe
midgets.scr
nains.exe
sexy virgin.scr
sexynain.scr
and other similar ones...

Opening the attachment, starts the worm and infects the system. It corrupts WSOCK32.DLL, which needs to be replaced to repair the damage, and creates some randomly named files in the C:\WINDOWS\SYSTEM directory similar to the ones below:

FEIDGFNI.LOE
QASDFUYT.SGE
WESATESZ.IPG

This worm patches the WSOCK32.DLL file in the Windows\System folder. When it is executed, it modifies the WSOCK32.DLL file and adds its virus code onto it. Then it sends emails similar to the ones at the top of this document.

How to avoid infection

The worm infects WSOCK32.DLL and when an e-mail is sent, also sends a seperate e-mail with the From: header that reads "Hahaha <hahaha@sexyfun.net>", and places the worm as an attachment to the message. As usual, DO NOT execute that file! Just delete it!

Signs of infection

Hyris is one of the few worms that can download "plugins". It does this by making NNTP connections to one of a list of news servers in a list, and reading the newsgroup alt.comp.virus, where plugins are posted. It can also post any plugins on an infected system to alt.comp.virus, as the plugins are not transmitted along with the worm via e-mail.

Depending on what plugins are on an infected system, you may notice some or all of the following occuring:

Altered ZIP and RAR archives where EXE files have been renamed to have an extension of .EX$, and a copy of Hybris replacing the original filename.

Scanning other machines, and infecting machines that have the SubSeven backdoor on them.

Affecting EXE files on the local system so that they become "droppers" of the worm. This can cause re-infection of a system after you think you have eradicated the worm.

Display a back and white "spiral" on the screen on the 59th minute of each hour, starting in 2001.

Here is a list of known plugins for the virus:

HTTP.DAT, NEWS.DAT, AVINET.DAT, ENCR.DAT, PR0N.DAT, SPIRALE.DAT , SUB7.DAT, AND DOSEXE.DAT.

How to Clean/Delete the Hybris Virus?

Because of the nature of the virus and the various plug-ins associated with the virus, manual removal of it really isn't possible. To clean the virus from an infected system. Use this basic gameplan below:

First, restore the corrupted WSOCK32.DLL file so that the virus stops sending emails and causing havoc and unexpected errors in your computer. Follow the steps below to restore the file from Windows 95 or 98

To restore WSOCK32.DLL in Windows 95

Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE.
Type:
EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
Insert your Windows 95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
Where D: is your CD-ROM drive

To restore WSOCK32.DLL in Windows 98

Click the START MENU|RUN, type SFC and click OK.
Choose Extract One File from the installation disk
Type: C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click START.
In the Restore From box type C:\WINDOWS\OPTIONS\CABS or browse the Windows 98 directory on your Windows 98 CD-ROM. This is usually found on the CAB file named "PRECOPY1.CAB"
Click OK and follow remaining prompts.

Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE.
Type:
EXTRACT /A C:\WINDOWS\OPTIONS\CABS\PRECOPY1.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
Insert your Windows 98 CD-ROM and type:
EXTRACT /A D:\WIN98\PRECOPY1.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
Where D: is your CD-ROM drive

Next, reboot your computer into Windows and do one of the following:

Log onto the Internet, update your current antivirus software, and run a complete scan of all your hard drives

Log onto the Internet and run an online virus check of your complete system. You can find an excellent online antivirus scanner at the Trend Micro Housecall site listed below. Although this may be the quickest way to clean the system, please purchase antivirus software and install it on your system to remain uninfected. Remember, you are only as safe as your current antivirus update.

Click Here to go to
Trend Micro's Housecall
Online Virus Scanner