CERT® Incident Note IN-2001-02The CERT Coordination Center publishes incident notes to provide information about computer security incidents to the Internet community.
Open mail relays used to deliver "Hybris Worm"
Date: Friday, March 02, 2001
It is well documented that intruders have used open mail relays for years to deliver unsolicited email. Recently, the CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." This represents a threat because intruders are increasingly using open mail relays to increase the number of messages propagated containing malicious code by leveraging the increased bandwidth and processing power of hosts connected to the Internet.
The Hybris Worm is a piece of malicious code that propagates through email messages and newsgroup postings, specifically targeting Windows machines. To become infected a user must execute an attachment received in email or a posting; no special mail or news reader program is required to become infected.
This worm infects the Windows networking library WSOCK32.DLL file, thereby subverting "normal" email behavior. Whenever a user sends an email on an infected machine, the malicious code sends out another email to the same recipient with a copy of itself as an attachment. Based on reports the CERT/CC has received, Hybris only affects Win32 systems and does not contain a destructive payload. However, the malicious code appears to contain code modules that can be upgraded from the web to give it a destructive payload. There are several variants, although all variants have the same behavior with very minor differences.
Versions of Hybris reported to the CERT/CC have these characteristics:
While these characteristics are the most common in reports we have received, it is possible for any mail message to contain Hybris as a file attachment.
Intruders are using open mail relays to propagate Hybris. An "open" mail relay is a mail transport agent (MTA) that is configured to forward mail between senders and recipients who are not a part of the MTA's operational domain."Open mail relays" are sometimes called "open mail servers," "mail relays," "third-party mail servers," or similar names. Intruders who wish to obscure their identity often send mail through an open mail relay. Using an open mail relay from another site is attractive to the intruder because accountability is far less enforceable. For more information on open mail relays, please seehttp://maps.vix.com/tsi/ar-what.html
For more details about Hybris, please check an antivirus vendor database. A sample collection is listed on the CERT/CC's Computer Virus Resources page:http://www.cert.org/other_sources/viruses.html#III
Sites with open mail relays may be used to send mail to arbitrary third parties with possible malicious payloads such as Hybris. The use of the mail server's cycles and bandwidth can degrade the quality of service.
It may be possible for an organization to be an open mail relay without knowing it. Generally speaking, there are few circumstances under which a network should have an open mail relay. We encourage sites to review their mail server configuration and evaluate their exposure to this type of abuse.
As good security practice, users should always exercise caution when receiving email with attachments. Disable auto-opening or previewing of email attachments in your mail program. Do not open attachments from an untrusted origins or those that appear suspicious in any way. Finally cryptographic checksums can be used to validate the integrity of the file.Authors: Ian Finlay, Brian King, Shawn Hernan
This document is available from: http://www.cert.org/incident_notes/IN-2001-02.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.