[All About PC] Virus Babylonia

Latest Reviews

ABIT VP6

ASUS A7V133

EPOX 8KTA3+

DEEP OCEAN SCREEN SAVER

Reviews

Mainboards:
	EPOX 8KTA3+
	ASUS A7V133
	ABIT VP6
	PC133 ON BX-BOARDS
Graphics Cards:
	ABIT SILURO T400
CD-ROM:
	ASUS CD-S500/A
	TEAC CD-540E
	MITSUMI FX 4820
CD-Writers:
	PLEXWRITER 12/10/32A
	MITSUMI CR-4805TE
	MITSUMI CR-4804TE
	LG CED-8042B
Software:
	DEEP OCEAN SCREEN SAVER

Virus Descriptions

	LOVELETTER
	PLAGE2000
	W32/MELTING
	W32/MYPICS
	W32/NEWAPT
	W32/PRETTY
	BABYLONIA
	SANTANA
	W97M/LENNI
	W97M/MELISSAT
	W97M/MICHAEL-B
	W97M/PRILISSA
	FUNLOVE
	WIN95.SMASH

Danger
Diffusion

The Babylonia is the first virus, that can update itself via internet.

W95.Babylonia:

Virus name	W95.Babylonia
Attacked Operating Systems	Windows 9x
Type	Internet-Worm and Trojan

Infection:
The virus gets on your PC by opening an email-attachment or by MIRC. The known files, that start an infection, are

I-WATCH-U.EXE
BABILONIA.EXE
X-MAS.EXE
SURPRISE!.EXE
JESUS.EXE
BUHH.EXE
CHOCOLATE.EXE

Please note, that every infected .EXE or .HLP file can cause an infection.

Payload:
This kind of computerviruses attacks .EXE and .HLP files of Windows 95 as soon as they are opened. It causes no damage in the moment, but next generations will be more aggressive.

If the email-attachment is opened, the virus copies itself in the Kernel-memory and creates a new file "C:\BABYLONIA.EXE" of about 4 KB size. After this BABYLONIA.EXE copies itself in the "KERNEL32.EXE" in the system directory of Windows and registers this copy in the registry under the key Software\Microsoft\Windows\CurrentVersion\Run. This registration implies an execution of the copy whenever the PC starts. The execution occurs invisible for the user, i.e. it is running in the background as a system program.
At every start it searches the "RNAAPP.EXE", which is active in the online-modus under Windows 9x. If this application is found, the virus establishes a connection to a japanese internetsite and loads a text file "VIRUS.TXT" down. In this text file four filenames are listed "DROPPER.DAT", "GREETZ.DAT", "IRCWORM.DAT" and "POLL.DAT". These files are downloaded too and they are using a special format with a "VMOD" beginning header (VMOD stands for Virus Module).
The "DROPPER.DAT"-file gives new functionality to the virus. If the virus has removed from your PC, but the Trojan is active, the virus will be installed again by this file. It created an application "INSTALAR.EXE", that is infected with the Babylonia-virus. "INSTALAR.EXE" will be deleted after its execution.
The "GREETZ.DAT"-file modifies the "AUTOEXEC.BAT" in January 2000 with an entry"W95/Babylonia by Vecna (c) 1999". The appearance of this entry also shows you, whether your PC is infected or not.
The "IRCWORM.DAT"-file is a MIRC-worm installation program. The worm sends the two files "2KBug-MircFix.EXE" and "2Kbugfix.INI" to everyone in the active MIRC-channel
The "POLL.DAT"-file sends an email to the author of this virus, so he can determine how many PCs are infected. This email is send to babylonia_counter@hotmail.com with the message "Quando o mestre chegara?".

Warning:
The Virus is able to update itself via internet.

Protection:
User of the Norton AntiVirus Toolkits can download an update of the software to protect themselves: http://www.symantec.com/avcenter/download.html.

Remarks:
The author of this virus calls himself "Vecna" and is a member of the virus-writing-group "29A". As long as the virus is active in the PCs memory it cannot be removed complete. This mechanism is similar to the CIH-Virus.

further reports to this virus:
http://www.kasperskylab.ru/eng/news/press/991207.html
http://www.symantec.com/avcenter/venc/data/w95.babylonia.html

Copyright by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any reproduction or publication without the agreement of the editorial office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and mostly checked and confirmed from secondary side, we do not take the responsibillity for any damage originated from the use of the information on our site.