View Source



The CERT Coordination Center publishes incident notes to provide
information about computer security incidents to the Internet community.

<h2>Open mail relays used to deliver "Hybris Worm"</h2>
<p>Date: Friday, March 02, 2001</p>
<h3>Overview</h3>
<p>It is well documented that intruders have used open mail relays for years
to deliver unsolicited email. Recently, the CERT/CC has received reports of
intruders using open mail relays to propagate malicious code such as the
"Hybris Worm."  This represents a threat because intruders are increasingly
using open mail relays to increase the number of messages propagated
containing malicious code by leveraging the increased bandwidth and processing
power of hosts connected to the Internet.</p>
<h3>Description</h3>
<p> The Hybris Worm is a piece of malicious code that propagates through email
messages and newsgroup postings, specifically targeting Windows machines. To
become infected a user must execute an attachment received in email or a
posting; no special mail or news reader program is required to become
infected.</p>
<p>This worm infects the Windows networking library WSOCK32.DLL file, thereby
subverting "normal" email behavior. Whenever a user sends an email on an
infected machine, the malicious code sends out another email to the same
recipient with a copy of itself as an attachment.  Based on reports the
CERT/CC has received, Hybris only affects Win32 systems and does not contain a
destructive payload. However, the malicious code appears to contain code
modules that can be upgraded from the web to give it a destructive
payload. There are several variants, although all variants have the same
behavior with very minor differences.</p>
<p>Versions of Hybris reported to the CERT/CC have these characteristics:</p>
<dl><dd>
<pre>
From: Hahaha &lt;hahaha@sexyfun.net&gt;
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
          polite with Snowhite. When they go out work at mornign, they promissed a 
          *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
          Dwarfs enter...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)

Or...

From: Hahaha &lt;hahaha@sexyfun.net&gt;
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 a?ños. Blanca de Nieve fuera
          siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
          sorpresa para su fiesta de complea?ños. Al entardecer, llegaron. Tenian un brillo
          incomun en los ojos...  
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
</pre>
</dd></dl>
<p>While these characteristics are the most common in reports we have
received, it is possible for any mail message to contain Hybris as a
file attachment.</p>
<p>Intruders are using open mail relays to propagate
Hybris. An "open" mail relay is a mail transport agent (MTA) that is
configured to forward mail between senders and recipients who are not
a part of the MTA's operational domain."Open mail relays" are
sometimes called "open mail servers," "mail relays," "third-party mail
servers," or similar names. Intruders who wish to obscure their
identity often send mail through an open mail relay. Using an open
mail relay from another site is attractive to the intruder because
accountability is far less enforceable. For more information on open
mail relays, please see
</p>
<a href="http://maps.vix.com/tsi/ar-what.html">http://maps.vix.com/tsi/ar-what.html</a>
<p>For more details about Hybris, please check an antivirus vendor
database. A sample collection is listed on the CERT/CC's Computer
Virus Resources page:</p>
<a href="http://www.cert.org/other_sources/viruses.html#III">http://www.cert.org/other_sources/viruses.html#III</a>
<h3>Impact</h3>
<p>
Sites with open mail relays may be used to send mail to arbitrary
third parties with possible malicious payloads such as Hybris. The use of the
mail server's cycles and bandwidth can degrade the quality of service.</p>
<h3>Solution</h3>
<p>It may be possible for an organization to be an open mail relay
without knowing it. Generally speaking, there are few
circumstances under which a network should have an open mail relay. We
encourage sites to review their mail server configuration and
evaluate their exposure to this type of abuse.</p>
<p>As good security practice, users should always exercise caution when
receiving email with attachments. Disable auto-opening or previewing of email
attachments in your mail program. Do not open attachments from an untrusted
origins or those that appear suspicious in any way. Finally cryptographic
checksums can be used to validate the integrity of the file.</p>
<b>Authors</b>: Ian Finlay, Brian King, Shawn Hernan<br/>
#include virtual="/include/footer_nocopyright.html" 
<p>Copyright 2001 Carnegie Mellon University.</p>