Babylonia virus masks itself as Y2K fix

Virus attacks masquerading as fixes to year-2000 related problems continue to plague networks, but the latest attack allows the virus' creator to install potentially damaging applications onto an infected machine.

Disguised as a year-2000 bug fix for the popular Internet Relay Chat (MIRC) system, a new worm-style virus called W95.Babylonia is currently infecting systems via newsgroup chat sites.

Babylonia is termed an extensible virus, as it will attempt to contact a Web site in Japan to download "plug-ins" onto an infected computer. Currently, those plug-ins do not carry a malicious payload, but security experts are worried that the virus creator may change the payload at any time.

"There is no plug-in right now that could cause damage, but they could add one that could cause any kind of damage," said Narender Mangalam, director of security at Computer Associates International (CA). "Currently there are really just four, but they can change them however they want."

Babylonia is more of a threat for home users than corporate networks as the MIRC chat software is not normally used for business, but the complexity of the worm, and its masquerading as a year-2000 fix, has security firms on the alert.

"It's pretty much one of the most complex ones that we've seen," said Vincent Weafer, director of Symantec's Antivirus Research Center (SARC). "Our submissions have all been from end-users and retail users and we've received this from all over the world."

Babylonia affects Windows 95 and 98 machines, not Macintosh or Unix systems, and spreads through Internet Relay Chat systems. If a chat user is infected with the worm, Babylonia will automatically send itself to all other members of the chat site.

"You go to a chat room and if someone is infected in that chat room it acts like a worm and automatically send itself to your machine," Weafer said. "That executable is disguised as a Y2K fix. It's encouraging you to look inside a file to click on it."

Following the activation of the supposed year-2000 fix attachment, the virus will infect a number of applications, in particular winhelp, the program Windows uses to open help files. As the virus is large, and users often share help files, Weafer postulates that it infects those areas to hide itself.

"By adding itself to a help file, users don't notice how bloated it is," Weafer said. "If you share a help file, it can then use that to drop the executable onto another machine."

It also copies, and renames itself, into the system directory and then scans for an active dial up connection to the Internet. Once it gets that connection open, it tries to connect itself to a known hacker and virus writer Web site in Japan.

Once connected to the Web site, the virus will download the plug-ins, including an installer and a new version of the autoexec.bat.

After installation, and the system is rebooted, the message "W95/Babylonia by Vecna (c) 1999. Greetz to RoadKil and VirusBuster, Big thankz to sok4ever webmaster, Abracos pra galera brazuca!!! Eu boto fogo na Babilonia!" will be displayed.

It also sends an e- mail message to babylonia_counter@hotmail.com, with the infected machine's name.

"They want to know how successful they were," Weafer said.

While the Web site is located in Japan, possibly due to that country's lack of regulations or laws making the distribution of viruses illegal, the virus group which wrote Babylonia, which is well-known to security firms, is actually located in Latin America, according to SARC.

"As far as I know, it's not that (Japan) allows it, it's just that they do not have a law against it," Weafer said.

Babylonia was found in a newsgroup, and security vendors recommend that chat users be careful about which groups they frequent.

"It was found on several news groups. It was found on a help file in a news group," said Computer Associates' Mangalam.

Antivirus firms, as always, recommend users update their virus identification, or DAT, files, but are also requesting that the ISP which hosts the Web site in Japan removes the site, thereby reducing the risk to infected users.

Users should also be aware that there is an obvious trend with virus writers to disguise their attacks as year-2000 fixes, and they need to be aware of what they are really downloading.

"At this point Y2K fixes coming from a source you don't know or trust, be very wary about," Weafer said.

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesINSSymantec

Show Comments

Market Place