Wednesday December 08, 1999
Experts warn of new updatable virus
Anti-virus firms have warned users
of a new computer virus that spreads
through Internet chat rooms and updates
itself automatically with files from the Web.
"This is the tip of the iceberg," said Eric Chien,
senior researcher for
anti-virus software maker
Symantec Corp., who
stressed that the virus'
capacity to upgrade itself
makes it a concern. "Virus
writers again are using more
network-centric ideas to
create viruses."
Symantec has only
encountered two dozen reports of the virus,
dubbed W95.Bablyonia, since it was discovered
on Friday, Dec. 3. Another security firm,
Computer Associates Inc. has only
encountered 15 reports so far. Currently, the
virus infects executible (.EXE) and help (.HLP)
files.
While the computer virus has not spread widely
and currently has no dangerous payload,
anti-virus experts fear that a better-written clone
could be more effective in the future.
Or, just as bad for users, the virus writer could
decide to add a new payload to the virus.
Unique in that it looks at a virus-exchange Web
site in Japan for updates, Babylonia is actually
just an 11KB program that spreads itself when
an infected file is opened and transfers updates
from the Web when the host machine is online.
Virus downloads four modules
The current version downloads four modules
from the Japanese virus-exchange site. The first
module is just another copy of the virus, which
could update the virus. The second module is a
text file that replaces the autoexec.bat file on the
host computer with a new one containing the
message:
W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
---
Eu boto fogo na Babilonia!
The text identifies the writer as Vecna, which
Symantec claims is a member of a Latin
America virus group known as 29A (or 666 in
hexadecimal). The Bubbleboy virus was
allegedly created by Zulu, another member of
the 29A group.
The third module sends an e-mail message to a
Hotmail account established to count the
number of computers infected by Babylonia.
And the fourth module contains code that
causes infected users who use mIRC chat
software to send a copy of the virus to everyone
in the chat room using the DCC file transfer
feature of mIRC.
In most cases, the chat software will notify the
recipients that someone is sending them a file.
However, users that have DCC downloading set
to "automatic" will receive no notification. Unless
the file, which parades as a Y2K bug fix (not
coincidentally called Y2k bug fix.exe), is run, the
user's computer will not be infected with the
virus.
However, any or all of these aspects of the virus
could change. The writer could add a new set of
updates to the Web to change the copies of the
virus already infecting users' machines, tweak
the methods the virus uses to spread, or even
add a destructive payload.
"Tomorrow, it could be using Outlook to spread,"
said Symantec's Chien, referring to a number of
recent viruses, including Melissa and
ExploreZip, that have spread by sending
themselves using Microsoft
Outlook and its address book.
Ironically, the ability to update a virus resembles
the LiveUpdate technology that Symantec uses
to keep its virus scanner in touch with the times.
The ability to upgrade is one that has been used
by the software industry for a few years to fix
applications over the Net.
Problematic for home users
"At this point, it is a proof of concept," said
Narender Mangalam, director of security
products for Computer Associates. "It spreads
through chat rooms, it will mainly be a problem
for home users, who tend to be more lax about
security."
The current form of the virus can be detected by
searching for a file called Babylonia.exe on any
questionable computer. In addition, computers
that show the aforementioned message at start
up should be considered infected.