At least five variations exist of this complex worm that can update itself via the Internet.

Hybris (W32.Hybris) is a complex supervirus whose e-mail delivery system is similar to Happy 99 and whose programming and payload are similar to MTX. Although this worm has been known for some time, reports of Hybris are increasing worldwide. And while the worm currently contains a relatively harmless payload, Hybris has the capability to upgrade itself via the Internet and therefore could become dangerous. At least five distinct variations of Hybris have been reported by anti-virus software companies so far.

How It Works
Hybris arrives via e-mail with the following characteristics:

From: Hahaha hahaha@sexyfun.net

Subject: Snowhite and the seven Dwarfs - The REAL Story!

Attachment: a variable file name ending with .exe or .scr, most commonly dwarf4you.exe

Body text: "Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign (sic), they promissed (sic) a *huge* surprise. Snowhite was anxious. Suddlently (sic), the door open, and the Seven Dwarfs enter..."

A user clicking on the above attachment will load the worm. Hybris scans the system for e-mail addresses to send itself out over the Internet via e-mail. Hybris also inflects WSOCK32.DLL, renaming it and redirecting Windows.INI to point to the new, infected file. Thereafter, Hybris will send itself via reply mail to whomever sends new e-mails to an infected computer. Hybris is also savvy enough to establish its own Internet connections for the purpose of upgrading itself. What is notable about this worm is that is contains up to 32 Internet components, and can execute them as needed. At the moment, the components sent with Hybris are relatively harmless, however, the potential for new and more dangerous upgrades does exist.

Removal Instructions
Infected users should download the latest anti-virus signature files. Afterward, users will still need to restore a copy of WSOCK32.DLL, either from a clean backup or from the original Windows installation disks.

How to prevent the Hybris Worm

Here are the basic steps for containing the Hybris worm:

• Do not open attachments! One of the best ways to prevent virus infections is not to open attachments, especially when viruses such as Hybris are being actively circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.
• Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page.
• Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these five-star programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing anti-virus software is up-to-date, scan your system for free to find out.
• Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
• Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some anti-virus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.