About Hybris
Also known as: dwarf4you.exe, Snowhite and the
Seven Dwarfs, TROJ_HYBRIS.A, W32/Hybris.dll@M, W32/Hybris.plugin@M,
W95.Hybris.Gen.dr, W95/Hybris.worm, Win98.Vecna.23040
This worm will be received in an email message which may
contain the following information:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL
story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs
always where very educated and polite with Snowhite. When they
go out work at mornign, they promissed a *huge* surprise.
Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or
midgets.scr or dwarf4you.exe
When first executed, this worm tries to infect the
WSOCK32.DLL file in the WINDOWS\SYSTEM directory. First it
tries to infect the WSOCK32.DLL file directly. If it fails
because the file is already in use, then it creates an
infected copy on the WSOCK32.DLL in a new file. This new file
goes by an extensionless filename made up of 8 random
characters. A line is then created in the WININIT.INI file to
rename this newly created file to WSOCK32.DLL, thus
overwriting the original WSOCK32.DLL file. This change takes
place the next time the system is booted. A registry value
under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default)
is also created to run the worm at the next bootup, in case
the previous attempts to infect WSOCK32.DLL fail.
......
Removal Instructions
Hybris can be detected and
removed AUTOMATICALLY by SpyEraser.
Also, it can be detected and removed
by McAfee
VirusScan.
Windows 95/98 systems require rebooting to MS-DOS mode and
scanning with the command line scanner SCANPM in order to
clean such files as EXPLORER.EXE and TASKMON.EXE. Use the
command line scanner such as "SCANPM.EXE C: /CLEAN /ALL"
The WSOCK32.DLL file can be restored from backup. This can
be done by:
Use SFC to recover WSOCK32.DLL using instructions below for
Windows 98/ME.
Windows 98/ME
- (Win98 only) Click the START MENU|RUN, type SFC and click
OK. Choose Extract one file from the installation disk
- (WinME only) Click the START MENU|RUN, type MSCONFIG and
click OK. Click the EXTRACT FILE... button
(Both Win98/ME)
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click
Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS
or browse to the Win98 (or WinME) directory on your Windows
CD-ROM
- Click OK and follow remaining prompts
Wsock32.dll file exists within the Precopy1.cab cabinet
file on the Windows CD-ROM.
Windows 95
WSOCK32.DLL can be found in the following CAB files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks
Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB
WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
- Insert your Windows 95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM Where D: is your CD-ROM drive
Windows NT/2000
Rename the Wsock32.dll file in the Winnt\System32 folder to
Wsock32.old.
For information about how to rename a file, click Start,
click Help, click the Index tab, type renaming, and then
double-click the ''Renaming files'' topic.
Click Start, point to Programs, and then click Command
Prompt.
Type cd\, and then press ENTER.
Insert the Windows CD-ROM into the CD-ROM drive, and then
close the Startup Screen if it appears.
Type the following line at the command prompt, and then
press ENTER.
<![CDATA[
expand <drive>
:\i386\wsock32.dl_ c:\<windows>
\system32\wsock32.dll where <drive>
is the drive letter assigned to your CD-ROM drive, and where <windows>
is the name of the folder in which Windows is installed.]]>
Type exit, and then press ENTER to return to Windows.
Additional Windows ME information:
NOTE: Windows ME utilizes a backup utility that backs up
selected files automatically to the C:\_Restore folder. This
means that an infected file could be stored there as a backup
file, and VirusScan will be unable to delete these files.
These instructions explain how to remove the infected files
from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System
Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or
browse the the file's located in the C:\_Restore folder and
remove the file's.
12. After removing the desired files, restart the computer
normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and
on step 5 remove the check mark next to "Disable System
Restore". The infected file's are removed and the System
Restore is once again active.
Sponsored Links:
Removal Instructions for Other Trojans
| 
