W95.Babylonia


Aliases: W95/Babylonia.bat, W95/Babylonia.hlp, W95/Babylonia.irc
Variants: W95/Babylonia.plugin, W95/Babylonia

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Dec 1999
Damage: Low

Characteristics: The W95.Babylonia program is a Windows-based virus with worm that resides on the system's memory. It infects executable and help files. It downloads virus components from Internet, then installs downloaded components to the infected computer.

More details about W95.Babylonia

W95.Babylonia is a virus that has the ability to download “plugin components” from the Internet. The plugins downloaded are used by this virus to populate, spread, and propagate by means of IRC, SMTP email, and or local system infection. This virus tends to infect files of .exe and .hlp extensions. When this virus is activated on a system, it installs itself as a system driver, and then creates an executable file called KERNEL32.exe of size 4,096 bytes. This file monitors the activity of the system for Internet connection. Afterwards, this virus creates an additional executable file of 4kb long in the root directory C:\BABYLONIA.EXE – a standalone virus component that provides additional virus function. The W95.Babylonia virus was posted and first released in a form of help file containing serial numbers of registered products.

When Babylonia.exe is executed, it copies itself to the system folder, and then adds value to a system registry key. This results to having a hidden application running on the system’s background every time Windows starts. Then, it checks if an application “Rnaapp.exe” is running, done by enumerating active processes on the system. When the “Rnaapp.exe” application is detected up, W95.Babylonia virus will connect to a virus authoring group’s website, then downloads a text file named Virus.txt. This text file contains list of file names that are downloaded and executed one by one, completing components of the virus hosting the infected machine.