|Place of Origin||Brazil|
|File Type(s)||.exe, .dll, .hlp|
|Infection Length||11,036 bytes|
Babylonia is a virus that infects .exe files on the Windows 9x series as well as help files. It has similarities to other viruses including Happy99 for its spreading abilities and Demo for its infection of .hlp files. It was coded in Brazil by Vecna of 29A in 1999.
When a file infected with Babylonia is executed, it will not take control at first, instead patching a JMP or CALL and waiting to be called. It scans the kernel, getting Windows API function addresses and installing itself as a VxD system driver. It uses DESCRIPTOR 0 to store temporary data.
The virus allocates some memory then installs a hook in the IFS handler, then waits for access to Portable Executables, Help files and WSOCK32.DLL. Babylonia scans to see if SPIDER.VXD and AVP.VXD (antivirus libraries) are loaded and if so, patches them so they can no longer open files. The virus may still be memory resident when returning control to the host, and if so, it drops and executes its online updating module.
When Babylonia infects a portable executable, it appends itself to the last section or it may overwrite the .reloc section. CODE sections will be scanned for a suitable place to place a call to the virus. Help files are infected with a scriptthat passes control to virus code by using the callback features of the USER32 EnumWindows() API.
When accessing WSOCK32.DLL, it looks for the send() function and adds code that spreads the virus through email. A virus infected file will be attatched to any email sent by the user. There were to be six possible names for the infected attachment, but due to a bug in the code, it only sends itself out as X-MAS.exe with a Christmas-themed icon.
The virus code is compressed with the aPLib v0.22b library. Vecna optimized his old LZW compression scheme to enhance performance in speed and size, using the same algorithm as in the Fabi virus.
It will have serious problems infecting anything aside from a Windows 9x system, as it has VxD calls specific to the Windows 9x series. Windows NT and later versions of Windows can't be infected.
The Online Update Module
Babylonia uses a module dropped in the initial infection stage to receive updates from the Internet. This module will be located in the Windows System directory under the name KERNEL32.EXE. It adds this file to the local machine run key in the registry to ensure it runs when the system starts. It also hides itself in the CTRL+ALT+DEL task list, staying in the background and waiting for the user to connect to the Internet.
When the user connects to the Internet, it connects to Vecna's own page to download plug-ins for the virus. The module exits once all the plug-ins are downloaded. The plugins have a special format, containing a header ID stamp 'VMOD', then version stamp, and address of 'main' routine in the file. These 'main' routines in files are Win32 programs, the virus locates them and passes control to their code.
Babylonia was apparently released into the wild. It was not known to have spread very far or wide. Computer Associates found only 15 reported cases of the virus.
Appearing in the same year as Melissa, ExploreZip and other email and network-aware threats, researchers took note of this virus's interesting use of the Internet, not just for its spreading, but also its update and plug-in capabilities. Similar methods would be used with the botnets of the 2000s. Vecna himself would write a worm in the next year named Hybris, which used similar update methods. Four modules are known for the virus.
Vecna. 29A Magazine, Isue 4, W95/Babylonia.11036. 1999
Eugene Kaspersky, AVP Team. F-Secure Antivirus, Threat Description: Babylonia
Robert Lemos. ZDNet, Experts warn of new, updatable virus. 1999.12.07