"It's not a fast mailer or a mass mailer. It's slow and subtle," said Roger Thompson, technical director of malicious-code research for security firm TruSecure. But "slow and steady wins the race."
The spread of most computer worms tends to spike quickly and just as quickly die out. But the 3-month-old Hybris worm shows no sign of dying anytime soon, Thompson said.
He compared the virus to Happy99.exe, also known as Win32/Ska, a malicious program that started spreading in January 1999 and remained a threat to the unwary for more than a year.
Like Happy99, the Hybris worm spreads by monitoring a PC's network connection for e-mail messages. When a message is detected, the worm will add the addresses found in the e-mail's header to a list. Later, Hybris selects destinations from the list to which it sends copies of itself.
Instead of the avalanche of e-mail messages created by viruses such as Melissa and LoveLetter, Hybris produces a steady trickle of virulent e-mail, making it less noticeable.
Another point in the worm's favor: It's written as a 32-bit Windows program, not in a scripting language as was LoveLetter or Melissa, said Vincent Gullotto, director of the anti-virus emergency research team at security firm Network Associates.
"It is a hard one to kill, like most Win32 infectors," he said. "Anything that uses Win32 infects the PC very quickly. It can infect hundreds of files in a matter of seconds."
Hybris' combination of slow spread and fast infection seems to have worked.
First detected in October 2000, the worm has remained on the top-10 list of worldwide infectors, according to statistics from Trend Micro's Worldwide Virus Tracking page. For the past week, the virus has been rated as the No. 4 most prevalent virus in the United States, as measured by the number of PCs infected, and No. 9 worldwide.
While Trend's statistics only take into account a small percentage of incidences worldwide, it is one of the few quantitative gauges of virus activity.
Dangerous plug-ins
One factor that hasn't helped Hybris spread itself widely is its use of encrypted plug-ins, anti-virus experts said.
Like the Babylonia, LoveLetter and MTX viruses, the Hybris virus can access information across the Internet--in this case, from the alt.comp.virus Usenet group--and modify itself. That makes it different from the other viruses, said Nick FitzGerald, a New Zealand-based security consultant and virus researcher.
"Hybris changes shape by finding and incorporating different extensions into its code and mailing that new form to other potential victims," he said.
Typically, the anti-virus community would shut down the site that hosted such plug-ins, but because their own newsgroup is being used to publish the code, they can't shut it down without hurting their own ability to fight viruses.
Anti-virus experts believe the author of the virus is the same one who created the Babylonia virus, a concept virus that "phoned home" to a Japanese Web site known as the Source of Chaos and updated itself using files found on the site.
The name of the author, known as Vecna, appeared in a copyright notice in Hybris. Security firm Aladdin Knowledge Systems announced on Tuesday that they had proof that the virus had been created by the so-called VX-Brazil group. They claim that Vecna is a member of that group.
Hybris' ability to change how it works and its signature makes the worm potentially very dangerous.
Depending on which plug-ins it downloads, the worm could morph into a backdoor through a PC's security or into a malicious program that corrupts data. At present, at least eight plug-ins are known to exist.
"At some point, (the writer) could easily have control of a large number of PCs," said TruSecure's Thompson, who added that companies don't have much to worry about, as their network administrators usually update virus definitions often enough to keep up with any changes to Hybris.
Home computer users need to update their virus scanners frequently and treat e-mail attachments with suspicion, he said.
