Hybris virus: Sleeper hit of 2001

The 3-month-old computer worm that uses encrypted plug-ins to update itself is showing unusual staying power. Experts say it could be the year's worst worm

Hybris, a computer worm that uses encrypted plug-ins to update itself, could be the sleeper hit of 2001, antivirus experts say.

"It's not a fast mailer or a mass mailer. It's slow and subtle," said Roger Thompson, technical director of malicious code research for security firm TruSecure. But "slow and steady wins the race".

The spread of most computer worms tends to spike quickly and just as quickly die out. But the 3-month-old Hybris worm shows no sign of dying anytime soon, Thompson said.

He compared the virus to Happy99.exe, also known as Win32/Ska, a malicious program that started spreading in January 1999 and remained a threat to the unwary for more than a year.

Like Happy99, the Hybris worm spreads by monitoring a PC's network connection for email messages. When a message is detected, the worm will add the addresses found in the email's header to a list. Later, Hybris selects destinations from the list to which it sends copies of itself.

Instead of the avalanche of email messages created by viruses such as Melissa and LoveLetter, Hybris produces a steady trickle of virulent email, making it less noticeable.

Another point in the worm's favor: It's written as a 32-bit Windows program, not in a scripting language as was LoveLetter or Melissa, said Vincent Gullotto, director of the anti-virus emergency research team at security firm Network Associates.

"It is a hard one to kill, like most Win32 infectors," he said. "Anything that uses Win32 infects the PC very quickly. It can infect hundreds of files in a matter of seconds."

Hybris' combination of slow spread and fast infection seems to have worked.

First detected in October 2000, the worm has remained on the top ten list of worldwide infectors, according to statistics from Trend Micro's Worldwide Virus Tracking page. For the past week, the virus has been rated as the number four most prevalent virus in the United States, as measured by the number of PCs infected, and number nine worldwide.

While Trend's statistics only take into account a small percentage of incidences worldwide, it is one of the few quantitative gauges of virus activity.

One factor that hasn't helped Hybris spread itself widely is its use of encrypted plug-ins, antivirus experts said.

Like the Babylonia, LoveLetter and MTX viruses, the Hybris virus can access information across the Internet -- in this case, from the alt.comp.virus Usenet group--and modify itself. That makes it different from the other viruses, said Nick FitzGerald, a New Zealand-based security consultant and virus researcher.

"Hybris changes shape by finding and incorporating different extensions into its code and mailing that new form to other potential victims," he said.

Typically, the antivirus community would shut down the site that hosted such plug-ins, but because their own newsgroup is being used to publish the code, they can't shut it down without hurting their own ability to fight viruses.

Antivirus experts believe the author of the virus is the same one who created the Babylonia virus, a concept virus that "phoned home" to a Japanese Web site known as the Source of Chaos and updated itself using files found on the site.

The name of the author, known as Vecna, appeared in a copyright notice in Hybris. Security firm Aladdin Knowledge Systems announced on Tuesday that they had proof that the virus had been created by the so-called VX-Brazil group. They claim that Vecna is a member of that group.

Hybris' ability to change how it works and its signature makes the worm potentially very dangerous.

Depending on which plug-ins it downloads, the worm could morph into a backdoor through a PC's security or into a malicious program that corrupts data. At present, at least eight plug-ins are known to exist.

"At some point, [the writer] could easily have control of a large number of PCs," said TruSecure's Thompson, who added that companies don't have much to worry about, as their network administrators usually update virus definitions often enough to keep up with any changes to Hybris.

Home computer users need to update their virus scanners frequently and treat email attachments with suspicion, he said.

Take me to the Virus Workshop

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.