Miscellaneous - Babylonia Updatable virus

Experts warn of new, updatable virus

W95.Babylonia uses the Web to upgrade itself -- and could pave the way for smarter viruses with heavy payloads.

By Robert Lemos, ZDNet News
UPDATED December 8, 1999 7:57 AM PT

Anti-virus firms are warning of a new computer virus that spreads through Internet chat rooms and updates itself automatically with files from the Web.

"This is the tip of the iceberg," on Tuesday said Eric Chien, senior researcher for anti-virus software maker Symantec Corp., who stressed that the virus' capacity to upgrade itself makes it a concern. "Virus writers again are using more network-centric ideas to create viruses."

Symantec (Nasdaq: SYMC) has only encountered two dozen reports of the virus, dubbed W95.Babylonia, since it was discovered on Friday, Dec. 3. Another security firm, Computer Associates Inc. (NYSE: CA), has only encountered 15 reports so far. Currently, the virus infects executible (.EXE) and help (.HLP) files.

While the computer virus has not spread widely and currently has no dangerous payload, anti-virus experts fear that a better-written clone could be more effective in the future.

Or, just as bad for users, the virus writer could decide to add a new payload to the virus. Unique in that it looks at a virus-exchange Web site in Japan for updates, Babylonia is actually just an 11KB program that spreads itself when an infected file is opened and transfers updates from the Web when the host machine is online.

Virus downloads four modules

The current version downloads four modules from the Japanese virus-exchange site. The first module is just another copy of the virus, which could update the virus. The second module is a text file that replaces the autoexec.bat file on the host computer with a new one containing the message:

     W95/Babylonia by Vecna (c) 1999 
     Greetz to RoadKil and VirusBuster 
     Big thankz to sok4ever webmaster 
     Abracos pra galera brazuca!!! 
     --- 
     Eu boto fogo na Babilonia!

The text identifies the writer as Vecna, which Symantec claims is a member of a Latin America virus group known as 29A (or 666 in hexadecimal). The Bubbleboy virus was allegedly created by Zulu, another member of the 29A group.

The third module sends an e-mail message to a Hotmail account established to count the number of computers infected by Babylonia. And the fourth module contains code that causes infected users who use mIRC chat software to send a copy of the virus to everyone in the chat room using the DCC file transfer feature of mIRC.

In most cases, the chat software will notify the recipients that someone is sending them a file. However, users that have DCC downloading set to "automatic" will receive no notification. Unless the file, which parades as a Y2K bug fix (not coincidentally called Y2k bug fix.exe), is run, the user's computer will not be infected with the virus.

However, any or all of these aspects of the virus could change. The writer could add a new set of updates to the Web to change the copies of the virus already infecting users' machines, tweak the methods the virus uses to spread, or even add a destructive payload.

"Tomorrow, it could be using Outlook to spread," said Symantec's Chien, referring to a number of recent viruses, including Melissa and ExploreZip, that have spread by sending themselves using Microsoft (Nasdaq: MSFT) Outlook and its address book.

Ironically, the ability to update a virus resembles the LiveUpdate technology that Symantec uses to keep its virus scanner in touch with the times. The ability to upgrade is one that has been used by the software industry for a few years to fix applications over the Net.

Problematic for home users

"At this point, it is a proof of concept," said Narender Mangalam, director of security products for Computer Associates. "It spreads through chat rooms, it will mainly be a problem for home users, who tend to be more lax about security."

The current form of the virus can be detected by searching for a file called Babylonia.exe on any questionable computer. In addition, computers that show the aforementioned message at start up should be considered infected.

Just remember, however: Tomorrow, all bets are off -- the symptoms could change.

Babylonia virus loses its home page

Webmaster takes down site -- virus had been first of its kind to 'phone home' and update itself.

By Bob Sullivan, MSNBC
December 8, 1999 5:35 PM PT

The Webmaster of a Japanese Web page that collects computer virus information has removed the Babylonia virus from the site, saying , "Its activity doesn't match my policy." The new virus attracted researchers' attention because it was clever enough to sneak onto a victim's computer in pieces and update itself with fresh code.

The first piece of the Babylonia virus - called the "stub" by researchers - can arrive posing as a Y2K fix. Once a user is tricked into opening it, the other four pieces were pulled into the victim's computer from the infamous virus-hosting Web site located in Japan.

By Tuesday morning, 25 customers of the antivirus firm Symantec Corp. (Nasdaq: SYMC) were infected by W95.Babylonia, and about 25 Network Associates customers had also been infected.

Risk evaluation

The "payload" is not serious: The program does not attempt to delete or copy user files, and so far the virus has been transmitted principally in Internet Relay Chat (IRC) rooms. But Symantec says the risk is serious anyway.

"This doesn't do the damage of a worm.explorer.zip, for example, but we're still worried," Symantec researcher Eric Chien said. "At this very second the virus writer could be putting up new code on the Web site that will reformat your drive."

Victims who contract the virus have their computers directed to the Web site hosted in Japan that is no longer operating; it was apparently authored by a member of the "29A" virus writing group.

After initial infection, three additional pieces were downloaded to the victim's computer, according to Symantec. The second piece modifies the virus to display a message on boot-up; the third turns the virus into a worm that spreads over IRC; and the fourth sends e-mail to babylonia_counter@hotmail.com, probably so the virus writers can follow the program's infection rate.

Dual benefits

There are two advantages to splitting up the virus. First, the initial download is small, making infection more likely. Second, the author can later choose to change the virus and add a more destructive payload. Chien said the virus might also be changed to circumvent detection by antivirus products.

"It's the first we've ever seen that actually contacts a Web site to gather more pieces for itself," Chien said. A Java-based virus named BeanHive attempted the strategy in the past but never caused any real infections, he said. "This is the first we've seen that's effective."

The virus is unique in other ways. It's the first that's able to infect Windows help files, according to Vince Gullotto, director of Network Associates ' anti-virus research team. Gullotto was also concerned the initial virus will act like an application programming interface, allowing multiple program authors to "update" its payload.

"This guy wrote it, but the rest of his mates in 29A could be writing other applications as well," he said.

An infected machine will display the message: "W95/Babylonia by Vecna (c) 1999 Greetz to RoadKil and VirusBuster Big thankz to sok4ever webmaster. Abracos pra galera brazuca!!! Eu boto fogo na Babilonia!"