W95/Babylonia
aka
Babylonia.exe, W95.Babylonia,
W95/Babylonia, W95/Babylonia.bat,
W95/Babylonia.hlp, W95/Babylonia.irc,
W95/Babylonia.plugin

The virus uses WSOCK32.DLL to send emails with an attached infected executable called X-MAS.EXE. The attachment is displayed as an icon with the face of Father Christmas. When the attachment is executed, it displays two dialog boxes in succession: "API not found!" and "Windows NT required. This program will be terminated" 

This is a virus first distributed on the newsgroup 'alt.crackers' in the form of a
 "help" file named "serialz.hlp" on Dec 3, 1999. AVERT started to receive samples of this virus soon after this was posted. It was suggested to be help file with 17,000 serial numbers of registered products however it is not. The origin of this virus is Brazil.  

The original file posted is 40,637 bytes, and if run, will infect PE files of EXE and HLP extension on the local Windows 9x system. A file is written to the local system named "KERNEL32.EXE" size 4096 bytes and the system registry is modified to load this at system startup- 

HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
KERNEL32.EXE="KERNEL32.EXE"  

The KERNEL32.EXE process uses the following DLLs to monitor internet connection: 

C:\WINDOWS\SYSTEM\WSOCK32.DLL 
C:\WINDOWS\SYSTEM\WININET.DLL 
C:\WINDOWS\SYSTEM\SHLWAPI.DLL 
C:\WINDOWS\SYSTEM\USER32.DLL 
C:\WINDOWS\SYSTEM\GDI32.DLL 
C:\WINDOWS\SYSTEM\ADVAPI32.DLL 
C:\WINDOWS\SYSTEM\KERNEL32.DLL 

In some cases, the files infected are damaged due to overwriting existing code or data. For example in testing, MS Outlook gave this error when run after being infected-  

OUTLOOK caused an invalid page fault in module KERNEL32.DLL at 0137:bff9a141.  

The virus will monitor for internet connection and if made, will attempt to connect to a website hosted in Japan and maintained by a Virus authoring group to download 'components' of the virus. The components are listed in a file named "virus.txt" - the names on the list are then used to download the other named files to the local system. When all files are downloaded, this virus will use them to further spread.  

If mIRC is installed, this virus will modify the script.ini configuration file to automatically send itself as the file "2KBug-MircFix.exe" when connecting to irc channels on the internet.  

The virus uses Wsock32.dll in order to send an email notification to the email address "babylonia_counter" at hotmail.com and the 'from:' information is set to "babylonia" at rasta.net. This possibly is to track the number of infections for statistical purposes.  

Strings within one of the downloaded components suggests that the virus monitors the system clock waiting for the right time to modify the AUTOEXEC.BAT with the following text:  

echo W95/Babylonia by Vecna (c) 1999 
echo Greetz to RoadKil and VirusBuster 
echo Big thankz to sok4ever webmaster 
echo Abracos pra galera brazuca!!! 
echo --- 
echo Eu boto fogo na Babilonia! 

All components of this virus will be detected according to their file content, including the modified AUTOEXEC.BAT.  

Indications Of Infection 
Sending a file automatically when connecting to irc channels - EXE and HLP files increase in size or fail with illegal page fault errors as mentioned above. 
Existence of "KERNEL32.EXE" (not KERNEL32.DLL!!), registry modification as mentioned above.  

Removal Instructions 
Use current engine and provided DAT files for detection only. AVERT recommends the following course of action for prevention and removal:  

    1. Use IP filtering (WebScanx/WebShield SMTP) to block the IP address of the domain responsible for hosting the virus components downloaded- "210.169.20.21" - block any accesses to it and log anyone who attempts to access it  

    2. Replacing files detected with backup copies or from installation software  

    3. If IRC software is installed such as mIRC, read the section below regarding "IRC File Distribution Prevention Method"  

    3. Remove registry entry mentioned above as a final cleanup measure.  

    Prevention Method 
Always use caution if receiving files from others on IRC channels.
Although a percentage of files are safe, sharing of files is the common breeding ground for virus spreading and distribution. Use these common usage rules to minimize the risk of receiving or spreading a virus- 

    1. Only accept files from people that you know and trust. Never accept files from people you don't know and never accept files without knowing their full 
purpose.  

    2. Files of executable extension such as .BAT, .EXE, .COM, .HLP, .DLL should never be accepted from others as they have the most potential to cause problems or be infected.  

    3. Scripts should not be accepted from others you do not know. Automation is another factor in the distribution of viruses and trojans.  

    4. Files which support macros should not be accepted, or if they are accepted, make sure to have macro virus protection enabled. If you are unable to verify if macro virus protection is enabled, use alternate viewers such as QuickView or Wordpad as they do not support macros. Office97 applications have viewers available from Microsoft such as Word97 Viewer. Using alternate viewers will minimize the risk of spreading macro virus infections.  

    5. Use Antivirus software to scan all files received on IRC channels. This is not a sure-fire way of detecting all viruses however known viruses can be prevented from running if vigilant scanning techniques are used.  

    6. Some IRC software applications such as mIRC support security settings or options to disable certain functions such as "send" or "get" and commands such as "/run" and "/dll". AVERT recommends setting these options if applicable. If your application supports changing options on "DCC" settings, choose to prompt or ignore requests for file send or receive transactions.