Hybris
Aliases: I-Worm.Hybris
Type: Email/Internet Worm
Systems Affected: Win32 systems
Payload: As the worm is self-updating, functionality may vary. Details in description below.
ITW: Yes
Origin: Poland
Description: The worm infects WSOCK32.DLL, meaning it is activated everytime a person connects to the Internet. It also attaches itself to all outgoing messages sent from the victim's machine. The worm self-updates via binary postings to the alt.comp.virus newsgroups. These postings are, of course, anonymous. Estimates are that 32 different plug-ins may be available.
What to look for: Hybris may be received as an email from Hahaha with text about Snow White and the 7 dwarfs, or it may be received with no discernible sender, no subject, and no text. Common attachment names are: enano.exe, enano porno.exe, blanca de nieve.scr, enanito fisgon.exe, sexy virgin.scr, joke.exe, midgets.scr, dwarf4you.exe, blancheneige.exe, sexynain.scr, blanche.scr, nains.exe, branca de neve.scr, atchim.exe, dunga.scr, anão pornô.scr.

According to antivirus vendor Sophos, some variants of Hybris search for executables in ZIP and RAR files, renaming any found to EX$ and then adding itself to the archive with the original name. Sophos also reports a variant that displays a large black and white spiral at 1 minute to any hour. This spiral may be difficult to close and hinder use of the system. A third variant is reported to exhibit polymorphic tendencies in an effort to avoid detection by antivirus scanners.

How to prevent it: Do not open any attachments received unexpectedly - regardless of source. Before opening any unexpected attachment, cross-reference the name in the Attachment Center.