Features on the BU WebGo to BU Home Page
spacer
 
spacer

The Hybris Virus

What is the Hybris virus?

The Hybris, or W32/Hybris.gen@M, virus is an Internet worm which is transmitted through e-mail containing an attachment. The attachment has a randomly generated name, with either a .EXE or .SCR extension. If the recipient executes the attached file, this worm modifies the WSOCK32.DLL file. Once infected, the system will silently send a second, infected message to all recipients of each legitimate message sent from the infected machine. See the links in the next section for more details.

Where can I find more information about this virus?

Below are some links to information posted by others. While we believe this information may be useful and reasonably accurate, we have neither authenticated nor verified any of it.

F-Secure's Web site

See Symantec's Web site for current information on Norton AntiVirus updates and NAI's Web site for current information on McAfee VirusScan and Dr. Solomon's updates. You should use your regular update mechanisms to get the latest version of these virus definition files.

How can I remove this virus?

Follow the instructions below to remove this virus. If you have any doubts about your ability to remove the virus from your computer, please seek help from your local computing support staff or contact the PCSC (617/353-7272, pcsc@bu.edu). If you are affiliated with Boston University's School of Management, please contact:

Computer Support Services (Room 630)
Boston University School Of Management
617/353-9440

If you are affiliated with Boston University, you can download and install the latest version of Network Associates' McAfee VirusScan for free, as Boston University has a site license for this product. Please visit BU's anti-virus software Web site for more information. This site will prompt you for your BU login name and password before allowing access.

Specific instructions for removing the Hybris virus

Step 1) Make sure you have the latest virus definitions installed.

Step 2) Run a virus scan on the drive.

Step 3) If the virus is not found in the wsock32.dll file, but is found in some other file, that file contains just the body of the virus and all you need to do is delete that infected file, skip over Step 4 and continue with Step 5, below.

Step 4) If the virus is found in the wsock32.dll file, that file needs to be restored from the original cab files:

For Windows98

  • Select "Run..." from the START menu, then type SFC and click OK.
  • Choose "Extract one file from the installation disk".
  • Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
  • In the "Restore from" box type C:\WINDOWS\OPTIONS\CABS or browse to the Win98 directory on your Windows98 CD-ROM.
  • Click OK and follow the remaining prompts.
  • Continue with Step 5, below.

For Windows95

  • Select "Shut Down..." from the START menu and choose RESTART IN MS-DOS MODE
  • When the machine has rebooted in MS-DOS mode, *EITHER* type the following (all on one line, inserting a space instead of any line breaks that appear in your browser window): 
    EXTRACT  /A  C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB  WSOCK32.DLL  /L  C:\WINDOWS\SYSTEM
    *OR* insert your Windows95 CD-ROM and (assuming your CD-ROM drive is D:, otherwise replace "D:" with the letter for your CD-ROM drive) type (all on one line, inserting a space instead of any line breaks that appear in your browser window): 
    EXTRACT  /A  D:\WIN95\WIN95_11.CAB  WSOCK32.DLL  /L  C:\WINDOWS\SYSTEM
  • Continue with Step 5, below.

Step 5) Reboot the machine and run the virus scan one more time.

I received e-mail saying that a message I sent to someone at Boston University could not be delivered because my message might contain this virus. What should I do?

It appears that your system may be infected. As described above, the virus has probably sent infected e-mail to recipients of each of your legitimate mailings. To avoid sending this virus on to new recipients, you should download the appropriate virus definitions for your anti-virus product and then disconnect your computer from the network until you have completely removed the virus and protected your computer against re-infection.

Return to main virus information page

18 April 2001
Office of Information Technology
Boston University
Questions