"Low risk" worm could squirm into trouble

Antivirus companies say a worm called Hybris carries no destructive payload and is relatively harmless. But because it is written so that it can update itself as it spreads, some caution that it could still prove to be a menace.

The worm comes as an email attachment that, when opened, replaces a file on the recipient's computer called "WSOCK32.DLL," a dynamic linking library. DLLs are files that application programmers use to share code among various Windows applications. Once it has replaced the DLL, Hybris monitors outgoing email and distributes copies of itself to recipients, randomly generating the name of the attached payload.

The worm's chameleon-like nature stems from its ability to download encrypted components from the Internet in a method first introduced by the W95/Babylonia worm, according to antivirus company McAfee. Babylonia is a Brazilian virus discovered last year after it was posted to a newsgroup in the guise of a help file, which also downloaded components from the Internet.

The Web site where those components originated was quickly shut down, according to McAfee.

Hybris is updating its components from the "alt.comp.virus" newsgroup, as well as from a Web site, antivirus company Kaspersky Lab wrote in an alert.

Kaspersky warned that the replacement of certain components could turn Hybris from harmless to hazardous.

"What we have here is perhaps the most complex and refined malicious code in the history of virus writing," Eugene Kaspersky, the head of Kaspersky Lab, said in a statement. "Firstly, it is defined by an extremely complex style of programming. Secondly, all the plugins are encrypted with very strong RSA 128-bit crypto-algorithm key. Thirdly, the components themselves give the virus writer the possibility to modify his creation 'in real time,' and in fact allow him to control infected computers worldwide."

But security experts said that Hybris' technical edge might not guarantee it any success in the wild.

"A high degree of sophistication does not necessarily make a virus successful," Elias Levy, analyst at SecurityFocus.com, wrote in an email interview. "Many dumb viruses have caused more damage than the really technically interesting articles. There are many factors that determine whether a worm/virus is successful and we don't know what they all are."

McAfee recommended that people delete unexpected attachments to prevent further spread of the worm, which it rated "low risk."

According to antivirus firm Trend Micro, which also rated Hybris "low risk," the infected message reads: "Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter..." (sic)

Kaspersky said reports of Hybris had stepped up since its discovery in September, particularly in Latin America, and to a lesser extent in Europe as well.