Babylonia virus loses its home page
Published: 09 Dec 1999 10:59 GMT
The Webmaster of a Japanese Web page that collects computer virus information has removed the Babylonia virus from the site, saying, "Its activity doesn't match my policy." The new virus attracted researchers' attention because it was clever enough to sneak onto a victim's computer in pieces and update itself with fresh code.
The first piece of the Babylonia virus -- called the "stub" by researchers -- can arrive posing as a Y2K fix. Once a user is tricked into opening it, the other four pieces were pulled into the victim's computer from the infamous virus-hosting Web site located in Japan.
By Tuesday morning, 25 customers of the antivirus firm Symantec were infected by W95.Babylonia, and about 25 Network Associates customers had also been infected.
The "payload" is not serious: The program does not attempt to delete or copy user files, and so far the virus has been transmitted principally in Internet Relay Chat (IRC) rooms. But Symantec says the risk is serious anyway. "This doesn't do the damage of a worm.explorer.zip, for example, but we're still worried," Symantec researcher Eric Chien said. "At this very second the virus writer could be putting up new code on the Web site that will reformat your drive."
Victims who contract the virus have their computers directed to the Web site hosted in Japan that is no longer operating; it was apparently authored by a member of the "29A" virus writing group.
After initial infection, three additional pieces were downloaded to the victim's computer, according to Symantec. The second piece modifies the virus to display a message on boot-up; the third turns the virus into a worm that spreads over IRC; and the fourth sends email to babylonia_counter@hotmail.com, probably so the virus writers can follow the program's infection rate.
There are two advantages to splitting up the virus. First, the initial download is small, making infection more likely. Second, the author can later choose to change the virus and add a more destructive payload. Chien said the virus might also be changed to circumvent detection by antivirus products.
"It's the first we've ever seen that actually contacts a Web site to gather more pieces for itself," Chien said. A Java-based virus named BeanHive attempted the strategy in the past but never caused any real infections, he said. "This is the first we've seen that's effective."
The virus is unique in other ways. It's the first that's able to infect Windows help files, according to Vince Gullotto, director of Network Associates ' anti-virus research team. Gullotto was also concerned the initial virus will act like an application programming interface, allowing multiple program authors to "update" its payload. "This guy wrote it, but the rest of his mates in 29A could be writing other applications as well," he said.
An infected machine will display the message: "W95/Babylonia by Vecna (c) 1999 Greetz to RoadKil and VirusBuster Big thankz to sok4ever webmaster. Abracos pra galera brazuca!!! Eu boto fogo na Babilonia!"
What do you think? Tell the Mailroom. And read what others have said.
Take me to the Hackers news special
Did you find this article useful?
20 out of 42 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
