Skip navigation
Skip navigation

Marylebone Media Relations

New dangerous versions of the virus have been detected "in the wild".

Cambridge, UK, November 13, 2000 - Kaspersky Lab, an international data-security software-development company, warns users of the discovery of Hybris, a new Internet-worm. Kaspersky Lab is receiving reports of the discovery of this virus "in the wild" worldwide. It is particularly active in Latin America. Infections by this virus have also been found in Europe.

The first version of this Internet worm was discovered by Kaspersky Lab and several other anti-virus software developers at the end of September and was classified as a low risk malicious program. However, within the last few days the company has been inundated by reports from users whose computers have been infected by this virus. At this moment Kaspersky Lab has discovered five versions of Hybris and it is excepted that new variations will be found in the near future.

The Internet worm Hybris spreads by attaching itself to infected emails and works only under MS Windows. When the recipient executes the attached file it infects the host PC. The procedure for infection is typical for this type of malicious program and is performed in a similar way to Happy or MTX viruses.

To proliferate, the worm infects WSOCK32.DLL library and also intercepts the Windows function that establishes the network connection; it then scans sent and received data for any email addresses, and sends copies of itself to these email addresses. Subject, text and name of the attached file is chosen randomly, for example,

From: Hahaha hahaha@
Subject: Snowhite and the seven Dwarfs - The REAL Story!
Attachment: dwarf4you.exe

In addition, this worm has some specific features. Hybris contains several (up to 32) components (plugins) in its code and executes them depending on its needs. The worm functionality is mostly defined by the plugins. They are stored in the body of the worm and are encrypted by a very strong crypto algorithm.

However the main peculiarity is that Hybris maintains the functionality of the plugins: it sends its own components to the anti-virus conference "alt.comp.virus" and downloads from there any upgraded or missing plugins. The virus components can also be updated by the worm from the author’s web page, via the Internet. So far, plugins found in the known versions of this virus and those at the web site are fairly harmless and do not cause any direct damage. But, the fact that they can be updated means that they may be given completely different functions, for example installing a Trojan horse backdoor. Although there have previously been some cases when a malicious program has been updated from the Internet, this is the first time it has occurred on this scale "in the wild".

‘What we have here is perhaps the most complex and refined malicious code in the history of virus writing," comments Eugene Kaspersky, Head of Anti-Virus Research Center of the company, "Firstly, it is defined by an extremely complex style of programming. Secondly, all the plugins are encrypted with strong RSA 128 bits crypto algorithm key. Thirdly, the components themselves give the virus writer the possibility to modify his creation "in real time" and in fact allow him to control infected computers worldwide".

Protection procedure against the Internet worm Hybris and its versions have now been added to anti-virus databases of Kaspersky Anti-Virus (AVP).

Technical details on the worm principals and functioning order are available at web-site Kaspersky Virus list.

To learn more about the latest dangerous viruses and how to protect yourself against them, please visit Kaspersky Lab’s presentations at Comdex Fall 2000 Show at the Las Vegas Convention Center from 13 till 17 November (stand N L4820).

About Kaspersky Lab

Kaspersky Lab Ltd. is a fast growing international privately owned anti-virus software development company with offices in Moscow (Russia), Cambridge (UK) and Johannesburg (South Africa). Founded in 1997, the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related Internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide.

Media Contacts

Denis Zenkin

Kaspersky Lab, Ltd.

Phone: +7 (095) 797 87 00



Sara Claridge

Marylebone Media Relations

Phone +44 118 975 5188


This press release was distributed by ResponseSource Press Release Wire on behalf of Marylebone Media Relations in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit