Solved

W32/Hybris.dll@MM  Virus

Posted on 2001-06-12
11
252 Views
Last Modified: 2013-12-28
I am trying to fix a Windows 98 second edition laptop  with a virus called "W32/Hybris.dll@MM".  I tried using the latest versions of McAfee and Norton Anti-virus, but even though both of them are able to recognize the virus, neither of them is able to clean it off the machine.

The virus attached itself to the wsock32.dll file. Unfortunately this file cannot be deleted, copied, moved, edited, etc. because it is used by the operating system.

Has anyone else heard of this virus?  If so, does anyone know of how to clean off this virus besides reformatting the entire hard drive?  Any help would be appreciated.  Thanks.

John
0
Comment
Question by:johnny6
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 16

Expert Comment

by:Kyle Schroeder
ID: 6182485
From http://vil.mcafee.com/dispVirus.asp?virus_k=98873&

Removal Instructions:
Use specified engine and DAT files for detection and removal.

Windows 95/98 systems require rebooting to MS-DOS mode and scanning with the command line scanner SCANPM in order to clean such files as EXPLORER.EXE and TASKMON.EXE. Use the command line scanner such as
"SCANPM.EXE C: /CLEAN /ALL"

The WSOCK32.DLL file can be restored from backup. This can be done by:

Windows ME:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

Use SFC to recover WSOCK32.DLL using instructions below for Windows 98/2000.

Windows 98/2000
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts

Wsock32.dll file exists within the Precopy1.cab cabinet file on the Windows 98 CD-ROM.

-d
0
 
LVL 16

Expert Comment

by:Kyle Schroeder
ID: 6182495
More info:
Virus Characteristics:
This worm will be received in an email message which may contain the following information:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...

Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe

When first executed, this worm tries to infect the WSOCK32.DLL file in the WINDOWS\SYSTEM directory. First it tries to infect the WSOCK32.DLL file directly. If it fails because the file is already in use, then it creates an infected copy on the WSOCK32.DLL in a new file. This new file goes by an extensionless filename made up of 8 random characters. A line is then created in the WININIT.INI file to rename this newly created file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system is booted. A registry value under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default) is also created to run the worm at the next bootup, in case the previous attempts to infect WSOCK32.DLL fail.

The modified WSOCK32.DLL file watches all Internet activity and attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to any valid e-mail address sent over the Internet connection, whether part of a e-mail message, web page, or newsgroup posting. AVERT cautions all users to delete unexpected attachments. W32/Hybris.gen@M is sent unknowingly by the infected user.

This Internet worm originally downloaded encrypted update components from an Internet web site, similar to the method first used by W95/Babylonia, but the site hosting the virus was taken down. The original plugins were:

HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT

Currently this virus downloads plugins from alt.comp.virus. The virus contains an internal list of several news servers it can access. It searches the newsgroup for any plugins that it doesn't have, or has older versions of. Since the worm searches all Internet activity for e-mail addresses, people who post to alt.comp.virus using their real e-mail address may get many copies of the worm when Hybris searches alt.comp.virus for new plugins.
When a full moon occurs according to the computer's internal clock, the virus will randomly post its plugins to the alt.comp.virus newsgroup. It uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins with a fake return address of root@microsoft.com.

This Internet worm contains the text:

HYBRIS
(c) Vecna

-d
0
 
LVL 5

Expert Comment

by:jjcontact
ID: 6182637
http://www.securityportal.com/articles/hybrisnews20010129.html
According to what I read, an updated scanner can get it or go here:

http://housecall.antivirus.com/
0
 
LVL 4

Accepted Solution

by:
tengage earned 200 total points
ID: 6183716
Norton and Mcafee don't usually clean a machine which is ALREADY infected with a virus, they are only detection / prevention mechanisms.  McAfee's solution will clean your machine or you could use Norton's (I'm a McAfee Hater)

http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html
0
 
LVL 5

Expert Comment

by:jjcontact
ID: 6184031

If what dogztar posted doesn't work try
The Cleaner
for trojans
http://www.moosoft.com/

I don't know why I didn't think of it before.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Expert Comment

by:jjcontact
ID: 6184039
I see many people are having problems getting rid of this one.  The newsgroups are full of people who are having this problem. OK this is the final suggestion.  Any luck?

http://claymania.com/hybris-removal.html
0
 
LVL 2

Author Comment

by:johnny6
ID: 6184274
I will try these suggestions tomorrow and let everyone know which ideas worked.  Thanks.

John
0
 
LVL 4

Expert Comment

by:tengage
ID: 6186302
FDISK, FORMAT, RE-IMAGE.

That one usually works for me.
0
 
LVL 2

Author Comment

by:johnny6
ID: 6189388
Dogztar's answer does not work for the simple fact that you cannot access the file, write to it, or move it becase as I have said before windows's is using the file.

I was able to solve this problem on my own by restarting the computer in a MS-DOS prompt, then overwriting the infected copy of it with a good copy of it.

Since I am the expert who really solved this problem I was considering asking for my points back.  However, since I am sure that this question will prove to be valuable to others who search through the PAQ's for a similar virus I will leave the points as is.

I am awarding the points to tengage because he was the first one to find a method that works and also one that is very similar to the way I did it.

Here is a copy of the URL that tengage found that describes that method: http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html


John
0
 
LVL 16

Expert Comment

by:Kyle Schroeder
ID: 6191571
I understand that you can't replace the file while Win98 is running...from what you said, I took it to mean that you understood that you'd have to reboot to MSDOS to replace the file, or delete it then install from WIn98 using SFC (or use SFC to extract the file, then replace from MS-DOS mode).  My answer was trying to explain more that you have to extract the file, and where to get it from.

<QUOTE>
Use SFC to recover WSOCK32.DLL using instructions below for Windows 98/2000.

Windows 98/2000
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to the Win98 directory on your Windows98
CD-ROM
- Click OK and follow remaining prompts

Wsock32.dll file exists within the Precopy1.cab cabinet file on the Windows 98 CD-ROM.

</QUOTE>

Sorry if I didn't make that clear.  Good to know that you got the virus cleaned though!

-d
0
 
LVL 2

Author Comment

by:johnny6
ID: 6191652
dogztar:
       I would have awarded the points to you if you had been more clear about your answer.  You have to remember that there will probably be many people searching the PAQ's to solve similar virus problems.  I made it very clear to anyone reading this PAQ about how to remove this virus.



John
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now