Printer Friendly Page

Discovered: September 25, 2000
Updated: February 13, 2007 11:34:43 AM
Also Known As: W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M [McAfee], I-Worm.Hybris [Kaspersky], WORM_HYBRIS [Trend], W32/Hybris-A [Sophos], Win32.Hybris [CA], Full Moon
Type: Worm
Systems Affected: Windows

Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 as of January 6, 2004.

W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages.

The email message or subject may include, but is not limited to:

  • hahaha@sexyfun.net
  • Snow White and the Seven dwarves

The attachment may have one of several different names, including, but not limited to:
  • anpo porn(.scr
  • atchim.exe
  • branca de neve.scr
  • dunga.scr
  • dwarf4you.exe
  • enano porno.exe
  • joke.exe
  • midgets.scr
  • sexy virgin.scr

Symantec has created an interactive tutorial to help you get rid of this worm.

Antivirus Protection Dates

  • Initial Rapid Release version September 25, 2000
  • Latest Rapid Release version August 20, 2008 revision 017
  • Initial Daily Certified version September 25, 2000
  • Latest Daily Certified version August 20, 2008 revision 016
  • Initial Weekly Certified release date September 25, 2000

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

When the worm attachment is executed, the Wsock32.dll file is modified or replaced. Once the worm has infected wsock32.dll, it has the ability to monitor the Internet connection as well as incoming and outgoing email traffic. The worm then scans for email addresses. When an email address is detected whether on an Internet site or in email being sent or received, the worm waits for a period of time and then sends an infected message to the detected address.

The worm attempts to connect to the alt.comp.virus newsgroup. If it connects successfully, then the worm uploads its own plug-ins to this newsgroup in an encrypted form. It goes thru the subject header of the messages, and tries to match a specific format. The subject header will also specify the version number of the attached plug-in if the plug-ins are present. If newer versions of the plug-ins are found, the worm downloads them and updates its behavior.

One of the plug-ins for W95.Hybris.gen generates a spiral image. Upon execution, the plug-in initially loads OpenGL libraries which are used to draw a large black and white spiral image. It also registers itself as a service; this prevents it from being displayed in the Close Programs dialog box. For additional information on this, see the document W95.Hybris.Plugin .

This worm also has a plug-in that infects executable programs. The DOS EXE infection is fairly simple dropping technique. The virus code is appended to the end of the file with a small 16-bit dropper routine. This routine creates a temporary file with an .exe extension in the TEMP folder and executes it. It then deletes the temporary executable. In this way, Wsock32.dll is infected with the actual worm body. The PE executables have a much more complicated file infection process. PE files become infected only if they have a long enough code section. The virus infection plug-in packs the original code area and overwrites it if it will fit in the same place. This complicated antiheuristic infection technique is difficult but possible to repair.

If Wsock32.dll is being used by the system, the worm cannot modify it. In this situation, the worm will add a registry entry to one of the following subkeys:



It always alternates between these two keys as the worm spreads from one computer to another. The worm hooks onto the following exports of Wsock32.dll:


Whenever you send email, the worm sends a second message to the same person, attaching a copy of itself using a randomly generated file name.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


To remove the W95.Hybris.gen worm, follow these steps:

  1. Run LiveUpdate to ensure that you have the most recent virus definitions. They must be dated September 25, 2000, or later.
  2. Start NAV, and perform a full system scan. Make sure that NAV is set to scan all files. When an infected file is detected, do the following:
    • When Wsock32.dll is detected as infected, choose Repair. In most cases, NAV can repair this file. If NAV cannot repair the file, then you will need to replace it from the Windows installation CD. If you need to replace this file, see the instructions in the next section.

      NOTE: If NAV cannot repair Wsock32.dll when Windows is in normal mode, then try to repair it in Safe Mode.This is particularly true if you are connected to a network; in this case you may see a "sharing violation" message when NAV attempts the repair. To try this, restart the computer in Safe Mode. (If you need help with this, read the document How to restart Windows 9x or Windows Me in Safe Mode.) If this is not successful, then you must extract a new copy as explained in the next section.
    • Delete all other detected files; their contents have been overwritten by the worm. You must restore them from backups or, in the case of application software, reinstall the programs.
  3. If you see a rotating spiral on the Windows desktop, you must follow additional steps to remove it. See the section To remove the rotating spiral.

To extract a new copy of the Wsock32.dll file:
This is necessary only if Wsock32.dll cannot be repaired. You must run the Extract command at a command (DOS) prompt. Follow these steps to do this, using the instructions for your operating system.

This information is provided for your convenience. We have provided detailed instructions for Windows 95/98/Me, which are the operating systems most affected by this. These instructions should work for most versions of these operating systems. In most cases, this should not be necessary under Windows 2000/XP, because these systems' File Protection feature should prevent the Wsock32.dll file from being overwritten (unless File Protection was disabled).

The following documents provide general instructions on how to extract files. The exact steps may vary slightly depending on the configuration of your operation system, where the files are located, and so on. For additional information, read the Windows documentation, Help files, or contact Microsoft. NOTES:
  • You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document How to create a Windows Startup disk.
  • Have the Windows installation CD available.
  • When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type

    extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system
  • If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder.
  • For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
  • As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
  1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn the computer back on. At the menu, select Start with CD-ROM support.
  2. Type the command that applies to your operating system:
    • If you are using Windows 98, then type the following and press Enter:

      extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system
    • If you are using Windows 95, then type the following and press Enter:

      extract /a x:\win95\win95_02.cab wsock32.dll /L c:\windows\system
  3. If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter.

To remove the rotating spiral:
W95.Hybris.Gen uses several different plug-ins. The most common is a large, rotating spiral. If you see this on the Windows desktop, follow the instructions in the document W95.Hybris.Plugin .

Writeup By: Cary Ng