W95/Babylonia

This is a memory-resident virus that infects Windows EXE and HLP files.

The virus also patches WSOCK32.DLL in a similar manner to W32/Ska-Happy99. If you detect an infection of W95/Babylonia on your system Sophos recommends setting Sophos Anti-Virus to do a 'Full SWEEP' to detect the altered WSOCK32.DLL file. 'Full SWEEP' is a configuration option that is not enabled by default, and does not need to be set unless you have already found a W95/Babylonia infection on your computer. Please refer to the Sophos Anti-Virus documentation for your platform for details on how to enable this option if it is required.

The virus uses WSOCK32.DLL to send emails with an attached infected executable called X-MAS.EXE. The attachment is displayed as an icon with the face of Father Christmas.

When the attachment is executed, it displays two dialog boxes in succession: "API not found!" and "Windows NT required. This program will be terminated".

When an infected file is run, the virus drops a file called C:\BABYLONIA.EXE and runs it. BABYLONIA.EXE copies itself to C:\WINDOWS\SYSTEM\KERNEL32.EXE and modifies the registry so that KERNEL32.EXE runs on every startup.

KERNEL32.EXE waits until it detects a dial-up connection, contacts the homepage of a virus writers' group, downloads any available plug-in modules for this virus and executes them.

At the time of writing, the modules downloaded from the website allow the virus to spread over mIRC claiming to be a "Y2K bug fix", make the system display a greeting message on startup, and send email to a Hotmail account, allowing the virus writers to track infections.

The virus includes the following text:

W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
---
Eu boto fogo na Babilonia!